Use-after-free in Linux kernel - CVE-2026-45902
Published: May 28, 2026
Vulnerability identifier: #VU132588
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45902
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to cause a denial of service or corrupt memory.
The vulnerability exists due to a use-after-free in power_supply_changed() in the bq256xx power supply driver when handling interrupts during device probe or removal. A local attacker can trigger a race condition to cause a denial of service or corrupt memory.
The issue can also occur if an interrupt fires before the power_supply handle is initialized.
How to mitigate CVE-2026-45902
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/4b6fb0b6124f558131e502e3ffd03e6583b3ace6
- https://git.kernel.org/stable/c/74b5a88318db97d51bb40f774736553c2acd1514
- https://git.kernel.org/stable/c/8005843369723d9c8975b7c4202d1b85d6125302
- https://git.kernel.org/stable/c/81d3688c9a2158329391e08f2d0b8ba204216044
- https://git.kernel.org/stable/c/83c27fdd696ac13d023ef7a0345301be93209c53
- https://git.kernel.org/stable/c/8796910131a32ff29275052df768ef022929a394
- https://git.kernel.org/stable/c/cb5c743936edcebc51880eeb6bf04979b5c9438b