PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45946 Linux CVE debrief

A use-after-free vulnerability in the Linux kernel's AB8500 power supply driver could allow system crashes or memory corruption during driver removal or probe operations. The issue stems from incorrect devm_ resource allocation ordering where the IRQ handler could execute with a freed or uninitialized power_supply handle.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running embedded Linux systems with ST-Ericsson AB8500/AB8505/AB9540 power management ICs, particularly in mobile or IoT devices; kernel maintainers and distributors packaging stable kernel updates

Technical summary

The AB8500 power supply driver in the Linux kernel contains a race condition leading to use-after-free. The driver uses devm_request_threaded_irq() before devm_power_supply_register(), causing the power_supply handle to be freed before the IRQ handler is unregistered during driver removal. An interrupt firing in this window calls power_supply_changed() with a freed pointer, resulting in crashes or memory corruption. A similar race exists during probe() where interrupts could fire before power_supply registration completes, leading to use of uninitialized data. The vulnerability was introduced during componentized binding refactoring and is fixed by reversing the allocation order.

Defensive priority

medium

Recommended defensive actions

  • Review AB8500 power supply driver configurations in embedded Linux deployments, particularly those using ST-Ericsson AB8500/AB8505/AB9540 PMICs
  • Apply kernel updates from stable branches once patches are available for your specific kernel version
  • Monitor system logs for kernel oops or memory corruption indicators during device hotplug or power supply state changes
  • For custom kernel builds, verify that devm_power_supply_register() is called before devm_request_threaded_irq() or equivalent IRQ registration
  • Consider enabling KASAN (Kernel Address Sanitizer) in test environments to detect use-after-free conditions in power supply drivers

Evidence notes

The vulnerability description indicates this was introduced by commit 1c1f13a006ed during a refactorization to componentized binding. The fix involves reordering devm_ allocations so that the power_supply handle is registered before the IRQ is requested, ensuring proper reverse deallocation order during removal. Multiple stable kernel branch fixes are referenced.

Official resources

2026-05-27