CVE-2026-46246: Linux Kernel pm8916_lbc Use-After-Free in IRQ Handler
A race condition in the Linux kernel's power supply driver (pm8916_lbc) can cause the system to crash or corrupt memory during device removal. The bug stems from a resource initialization order problem: an interrupt handler is registered before its associated data structure (extcon handle) is fully set up. When the device is removed, the data structure gets freed before the interrupt handler is disabled, creating a window where a pending interrupt could try to use already-freed memory. This is a use-after-free vulnerability that requires local access to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `extcon` handle, means that the `extcon` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `extcon` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `extcon_set_state_sync()` with a freed `extcon` handle. Which usually crashes the system or otherwise silently corrupts the memory... Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `extcon` handle.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46246 is a use-after-free vulnerability (CWE-416) in the pm8916_lbc power supply driver within the Linux kernel. The root cause is improper devm_ resource lifecycle management: the IRQ is requested before the extcon device is registered, inverting the natural deallocation order. When the driver unloads, devm unwinding deallocates extcon first, then disables the IRQ handler. An interrupt firing during this window calls extcon_set_state_sync() on freed memory. The fix reorders initialization so that IRQ registration occurs after extcon setup, ensuring the IRQ is disabled before extcon deallocation.
Business impact
Depending on deployment context, this vulnerability could enable local denial-of-service attacks or silent data corruption on systems running affected Linux kernels. Systems with battery management hardware relying on pm8916_lbc (e.g., mobile devices, IoT equipment, automotive systems) are at risk. While exploitation requires local access and specific timing, the memory corruption potential makes this a reliability and data integrity concern for critical embedded deployments.
Affected systems
Linux kernel versions containing the vulnerable pm8916_lbc driver are affected. The vulnerability impacts systems where this Qualcomm power supply management driver is compiled in, typically found on ARM-based mobile and IoT platforms using PM8916 power management ICs. Exact affected kernel versions should be verified against the kernel security advisory or your distribution's backport tracking.
Exploitability
Exploitation requires local code execution capability (PR:L in CVSS) and relies on race condition timing—an interrupt must fire during a narrow window at device removal. While the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, the race condition is deterministic under load or specific unload sequences, making it practically exploitable by local attackers or malicious system processes. No elevated privileges are needed beyond local execution context.
Remediation
Apply the kernel patch that reorders resource initialization in pm8916_lbc: move the devm_request_irq() call to occur after devm_extcon_dev_register() and related setup. Most Linux distributions and kernel.org have released patched versions; check your kernel maintainer's advisory for the specific version number and backport availability for your branch. For systems unable to patch immediately, disabling pm8916_lbc (if not essential) or restricting local access reduces risk.
Patch guidance
Identify your Linux kernel version (uname -r) and distribution. Check the kernel security advisory from kernel.org or your vendor (Red Hat, Ubuntu, Debian, etc.) for the patched version addressing CVE-2026-46246. Backports are typically available for stable and LTS kernels. Verify the patch explicitly mentions reordering devm_request_irq after extcon registration. Test in a non-production environment before rolling out broadly, particularly for embedded or automotive deployments where driver stability is critical.
Detection guidance
Monitor system logs for segmentation faults, NULL pointer dereferences, or kernel panics mentioning pm8916_lbc, extcon, or battery management operations, especially during device hotplug or system suspend/resume cycles. Kernel Address Sanitizer (KASAN) or other memory debugging tools will catch the use-after-free if enabled at build time. Network-based detection is not applicable; focus on host-based kernel error logging and crash analysis during device removal events.
Why prioritize this
HIGH severity due to CVSS 7.8 (local code execution with no special privileges or user interaction, high confidentiality/integrity/availability impact). Race condition exploitability is moderate but deterministic. Primary concern is silent memory corruption and system instability on embedded platforms relying on pm8916_lbc. Rank this high for ARM-based mobile, IoT, and automotive fleets; lower for traditional x86 server environments where this driver is less common.
Risk score, explained
CVSS 3.1 score of 7.8 reflects HIGH severity: Attack Vector:Local (AV:L) limits scope but matches actual threat model (local attackers/processes); Attack Complexity:Low (AC:L) indicates the race is not difficult to trigger under normal removal/hotplug scenarios; Privilege Required:Low (PR:L) means no root needed; Confidentiality/Integrity/Availability all High (C:H/I:H/A:H) due to potential memory corruption leading to crashes or data loss. The timing-dependent nature slightly lowers real-world exploitation probability compared to the base score but does not change severity classification.
Frequently asked questions
Does this affect my Linux desktop or server?
Only if you are running a kernel with pm8916_lbc compiled in and the affected device present. pm8916_lbc is specific to Qualcomm PM8916 power management hardware, found mainly on ARM-based mobile and IoT devices. Most x86 servers and desktops are not affected. Verify with `lsmod | grep pm8916_lbc` or check your kernel configuration.
What is a use-after-free and why is it dangerous?
A use-after-free occurs when code accesses memory after it has been freed, causing undefined behavior—typically crashes or data corruption. In this case, the freed extcon handle is accessed by an interrupt handler, potentially allowing attackers to corrupt kernel state or trigger denial-of-service attacks.
Can this be exploited remotely?
No. The vulnerability requires local code execution capability or precise timing of an interrupt during device removal. There is no network-based attack vector. However, any local process or authenticated user with sufficient access can potentially trigger the race condition.
Is there a workaround if I cannot patch immediately?
Workarounds are limited. If the system does not depend on battery management via pm8916_lbc, you may disable the driver at boot time (e.g., via kernel command-line parameters or module blacklisting). Otherwise, patch as soon as possible. Avoid frequent device hotplug or suspend/resume cycles to reduce race window exposure.
This analysis is based on the CVE record and published kernel advisory as of the date shown. CVSS scores and KEV status reflect information available at publication; verify current status at MITRE/NVD and CISA. Affected kernel versions must be confirmed against your vendor's advisory—this summary does not enumerate specific versions. No exploit code is provided or recommended. Always test patches in non-production environments before deployment. For embedded or safety-critical systems, coordinate with your platform vendor before applying kernel updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance