CVE-2026-46075 Linux CVE debrief

Who should care

Organizations running Linux systems with Atmel SHA204A cryptographic hardware, particularly embedded systems and IoT devices utilizing this secure element for hardware random number generation. Cloud providers and kernel maintainers responsible for stable kernel backports should prioritize this fix.

Technical summary

The atmel-sha204a driver in the Linux kernel fails to properly synchronize device removal with pending I2C workqueue operations. The hwrng is not unregistered before teardown, allowing concurrent ->read() calls and queued callbacks to access freed memory. An early return bypasses sysfs entry removal and hwrng.priv deallocation. The resolution unregisters the hwrng first, flushes the I2C workqueue to drain pending operations, and ensures all cleanup paths execute by removing the early return.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• For systems using the Atmel SHA204A hardware random number generator, prioritize patching if the device undergoes frequent hotplug or removal operations
• Monitor vendor security advisories for kernel package updates addressing this CVE
• Review system logs for any hwrng-related errors during device removal that may indicate trigger conditions

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-27. The fix involves unregistering the hwrng, flushing the Atmel I2C workqueue, and removing an early return path to ensure proper cleanup. Multiple stable kernel commits are referenced indicating backports to affected versions.

Official resources