CVE-2026-46073 Linux CVE debrief

Who should care

Linux system administrators running kernels with the powerz hwmon driver enabled; organizations using USB power monitoring hardware; kernel maintainers and distributors packaging stable kernel updates

Technical summary

The hwmon powerz driver in the Linux kernel contains a logic error in its USB transfer completion handling. The function wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when interrupted by a signal, but the original code only checked for timeout (return value 0) with !ret. On signal delivery, the negative return value caused !ret to evaluate false, skipping usb_kill_urb() and allowing the function to proceed with reading from an unfilled transfer buffer. The fix captures the return value as a long and handles both negative (signal) and zero (timeout) cases with proper usb_kill_urb() calls before returning an error.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor vendor security advisories for patched kernel packages
• If running custom kernels with the powerz driver, cherry-pick the fix commits from the stable kernel tree
• Review systems using USB power monitoring hardware (powerz devices) for kernel version exposure

Evidence notes

CVE published 2026-05-27. Kernel commit references indicate fixes applied to stable branches. No CVSS score assigned; NVD status is Awaiting Analysis.

Official resources