SB2026040676 - Use-after-free in Linux kernel base power driver
Published: April 6, 2026
Security Bulletin ID
SB2026040676
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2026-23452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pm_runtime_work() when handling device removal during runtime power management. A local user can trigger a race condition involving device removal to cause a denial of service.
The issue is caused by dereferencing the dev->parent pointer after the parent device has been freed. It is reproducible sporadically with blktest block/001 and results in a KASAN-reported slab-use-after-free.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ff
- https://git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5a
- https://git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5
- https://git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693d
- https://git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679
- https://git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043