How is CVE-2026-46270 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the vulnerable service is required. Authentication (not-required): No credentials or account privileges are needed to trigger the race condition between interrupt firing and IRQ handler deregistration. Victim interaction (not-required): No user or administrator action is required; the vulnerability can be triggered by the attacker or by normal interrupt activity during device removal. Attack complexity (info): Attack complexity is low, meaning the race condition is reliably triggerable without requiring specific memory layouts, timing precision beyond normal removal sequences, or other environmental prerequisites.

What is the impact of CVE-2026-46270?

Kernel memory is corrupted or overwritten when the freed power_supply handle is accessed by the interrupt handler, giving an attacker influence over arbitrary kernel data structures. The system crashes outright (kernel panic) when the use-after-free dereferences an invalid pointer, disrupting all workloads on the affected host. Silent memory corruption can persist across the crash window, allowing an attacker to manipulate kernel objects and escalate privileges or leak sensitive kernel memory contents. All running processes and stored data on the host are at risk because the vulnerability operates at kernel privilege level with no sandboxing boundary.

Back to search

HIGHCVE-2026-46270Published 2026-06-03Modified 2026-06-05CNA Linux

CVE-2026-46270: power: supply: rt9455: Fix use-after-free in power_supply_changed()

In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.

CVSS v3.1: 8.4
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's rt9455 power supply driver, specifically in the ordering of devm_ resource registration during device probe and removal. The bug is reachable locally with no authentication required, as an attacker or racing interrupt needs only an existing presence on the host. Successful exploitation crashes the system or silently corrupts kernel memory, enabling full confidentiality, integrity, and availability impact. Patched-image rebuilds at the fix versions (5.10.252, 5.15.202, 6.1.165, and the upstream commit) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that package affected kernel versions. Any image whose kernel falls within the vulnerable range is flagged automatically, regardless of whether it originated from a public base image or an internal build pipeline.

Available

Triage

HarborGuard scores this CVE at CVSS 8.4 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within the customer organization based on policy-defined severity thresholds and image ownership rules.

Available

Patch

A patched-image rebuild targeting the fixed kernel versions (5.10.252, 5.15.202, 6.1.165, or the upstream commit 2178dc65d45e2f7bcaa8af8d80d100419bdab251) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the vulnerable service is required.
AuthenticationNot required
No credentials or account privileges are needed to trigger the race condition between interrupt firing and IRQ handler deregistration.
Victim interactionNot required
No user or administrator action is required; the vulnerability can be triggered by the attacker or by normal interrupt activity during device removal.
Attack complexityDetail
Attack complexity is low, meaning the race condition is reliably triggerable without requiring specific memory layouts, timing precision beyond normal removal sequences, or other environmental prerequisites.

Blast Radius

Kernel memory is corrupted or overwritten when the freed power_supply handle is accessed by the interrupt handler, giving an attacker influence over arbitrary kernel data structures.
The system crashes outright (kernel panic) when the use-after-free dereferences an invalid pointer, disrupting all workloads on the affected host.
Silent memory corruption can persist across the crash window, allowing an attacker to manipulate kernel objects and escalate privileges or leak sensitive kernel memory contents.
All running processes and stored data on the host are at risk because the vulnerability operates at kernel privilege level with no sandboxing boundary.

How HarborGuard Handles This

Available on HarborGuard: images whose kernel version falls within the affected range are detected automatically upon scan, scored at CVSS 8.4 (HIGH), and queued for rebuild against the patched versions (5.10.252, 5.15.202, 6.1.165, or the upstream commit 2178dc65d45e2f7bcaa8af8d80d100419bdab251). For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with full CVSS context and fix-version details for manual action. As an interim compensating control, customers can apply kernel module loading restrictions or restrict access to the affected hardware path via device cgroup rules to reduce exposure until the patched kernel is deployed.

See how HarborGuard automates this

Fix available

02178dc65d45e2f7bcaa8af8d80d100419bdab2515.10.2525.15.2026.1.1656.6.1286.12.756.18.146.19.462d753b916bd500bb269b7078cdab73198ab471864e15155095f39f4dec9b4659da1238ef8fc54d47.0721449a15170fc5f028a7576d7f65b9f60d53482a39f8f06216f73ef40e71e2fe4ad071964c1fd36af261f218a7606f93d2c786353d60bb4feb56ef0d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfce2febe375e5ea5afed92f4cd9711bde8f24ee6d2

Affected packages

Linux / Linux
< d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfc (from e86d69dd786e94046b8f5be7df1b9a8226a40b2a) · < 62d753b916bd500bb269b7078cdab73198ab4718 (from e86d69dd786e94046b8f5be7df1b9a8226a40b2a) · < a39f8f06216f73ef40e71e2fe4ad071964c1fd36 (from e86d69dd786e94046b8f5be7df1b9a8226a40b2a) · < af261f218a7606f93d2c786353d60bb4feb56ef0 (from e86d69dd786e94046b8f5be7df1b9a8226a40b2a) · < 2178dc65d45e2f7bcaa8af8d80d100419bdab251 (from e86d69dd786e94046b8f5be7df1b9a8226a40b2a) · < 64e15155095f39f4dec9b4659da1238ef8fc54d4 (from e86d69dd786e94046b8f5be7df1b9a8226a40b2a)
Linux / Linux
4.2
Fixed in 0, 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available