CVE-2026-46252 Linux Kernel Regulator Locking Vulnerability
A locking bug exists in the Linux kernel's regulator power management subsystem. When the system attempts to enable a power supply regulator and that operation fails, the error-handling code releases a reference to the regulator object without holding the required lock. This creates a race condition where another part of the system could be accessing the regulator data simultaneously, potentially causing a crash or memory corruption. The fix involves using the correct function call that ensures proper locking during cleanup, and adding additional safeguards to prevent concurrent access while clearing internal pointers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-667
- Affected products
- 7 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-04
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix locking in regulator_resolve_supply() error path If late enabling of a supply regulator fails in regulator_resolve_supply(), the code currently triggers a lockdep warning: WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596 ... Call trace: _regulator_put+0x80/0xa0 (P) regulator_resolve_supply+0x7cc/0xbe0 regulator_register_resolve_supply+0x28/0xb8 as the regulator_list_mutex must be held when calling _regulator_put(). To solve this, simply switch to using regulator_put(). While at it, we should also make sure that no concurrent access happens to our rdev while we clear out the supply pointer. Add appropriate locking to ensure that. While the code in question will be removed altogether in a follow-up commit, I believe it is still beneficial to have this corrected before removal for future reference.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46252 addresses a locking violation in the Linux kernel's regulator core subsystem, specifically in the regulator_resolve_supply() function's error handling path. When late enabling of a supply regulator fails, the code calls _regulator_put() without holding the regulator_list_mutex, triggering lockdep warnings and creating a potential use-after-free scenario. The vulnerability is classified as CWE-667 (Improper Locking). The resolution involves: (1) replacing _regulator_put() with regulator_put(), which properly acquires the necessary lock internally; and (2) implementing additional mutex protection when clearing the supply pointer to prevent concurrent rdev access. This fix addresses a race condition in an error path that would otherwise allow unsynchronized modification of regulator state.
Business impact
This vulnerability primarily affects the availability and stability of Linux kernel-based systems. Affected systems could experience kernel panics, system hangs, or memory corruption when power regulator initialization encounters failures—conditions that might occur during boot, during dynamic power management transitions, or in edge-case hardware configurations. For enterprises deploying embedded Linux, IoT devices, or systems with complex power management requirements, unplanned kernel crashes directly impact operational uptime. While the vulnerability requires privileged access (as indicated by the CVSS vector PR:L), the exposure is significant in multi-tenant or untrusted-driver environments where a malicious or buggy kernel module or privileged user could trigger the condition deliberately.
Affected systems
All Linux kernel versions containing the vulnerable regulator_resolve_supply() code are affected. The vulnerability is not confined to a specific distribution but rather resides in the upstream Linux kernel. Any system running a kernel version with this vulnerable code path—including servers, embedded systems, IoT devices, and specialized hardware using Linux—is potentially affected. Newer kernel releases from the Linux kernel project addressing this issue should be tracked through vendor advisories and kernel.org release notes. Users should consult their specific Linux distribution vendor (Red Hat, Canonical, SUSE, etc.) for backported patches to their supported kernel versions.
Exploitability
Exploitation requires local privileged access (PR:L per the CVSS vector) and the ability to trigger regulator supply initialization failures. The attack surface is limited to scenarios where: (1) a privileged user can load a malicious or misconfigured kernel module; (2) a misconfigured or failing power supply regulator is registered; or (3) dynamic power management operations are triggered under adverse conditions. The vulnerability is not remotely exploitable and does not grant privilege escalation. However, it can be leveraged by a privileged user to cause denial of service (system crash) with high reliability once the conditions are met. The lack of public exploit code and KEV designation suggests this remains a lower-priority exploitation target, though the issue should not be dismissed in threat environments with trusted but potentially buggy kernel code or supervised lab settings.
Remediation
Apply kernel patches from your Linux distribution vendor that address CVE-2026-46252. The fix requires updating to a patched kernel version. Consult your distribution's security advisory or kernel release notes (verify against the vendor advisory for specific patched version numbers). For users who compile custom kernels, apply the upstream fix to regulator_resolve_supply() as described in the Linux kernel patch. Testing should validate that regulator initialization and error paths function correctly across your target hardware configurations.
Patch guidance
Monitor your Linux distribution's security advisory channels for updates addressing this CVE. For production systems: (1) schedule kernel updates following your change management process; (2) test in a staging environment with similar power management hardware to ensure no regressions; (3) coordinate updates during maintenance windows to minimize downtime. For systems using generic distributions (Red Hat Enterprise Linux, Ubuntu LTS, SUSE, etc.), patches should become available within weeks of the vulnerability's publication. Embedded system vendors should also release updates for affected SoC kernels. Always verify patched kernel version numbers against official vendor advisories before deployment.
Detection guidance
Detection of this vulnerability's exploitation is challenging at runtime without kernel debugging tools. System administrators should monitor for: (1) unexpected kernel panics or oops messages containing 'regulator_resolve_supply' or '_regulator_put' in the call trace; (2) increased system hang events during power state transitions or regulator initialization; (3) kernel lockdep warnings (if debugging enabled) related to regulator_list_mutex. For detection and monitoring: run `dmesg` or review system logs for regulator-related warnings; use `uname -r` to verify kernel version against known-affected ranges; enable kernel lockdep in debug configurations to catch the race condition early in test environments.
Why prioritize this
This vulnerability merits medium priority for general enterprise environments but higher priority for systems with strict availability requirements or complex power management. The CVSS score of 5.5 (MEDIUM) reflects the local-only attack surface (AV:L) and privilege requirement (PR:L), offset by the high availability impact (A:H) from kernel crashes. Prioritize patching for: (1) critical infrastructure systems where unexpected crashes are costly; (2) embedded/IoT deployments with power management complexity; (3) multi-tenant cloud environments where untrusted kernel modules might be loaded; (4) systems in environments where kernel debugging or aggressive regulator changes occur.
Risk score, explained
The CVSS v3.1 score of 5.5 (MEDIUM, CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects: Attack Vector (Local) = vulnerability requires local system access; Attack Complexity (Low) = no special conditions needed to trigger once local access is gained; Privileges Required (Low) = a privileged user can trigger the condition; User Interaction (None) = no user action is necessary; Scope (Unchanged) = impact is confined to the vulnerable system; Confidentiality (None) = no information disclosure; Integrity (None) = no data corruption of user data; Availability (High) = denial of service via kernel crash is highly likely. The score appropriately weights a reliability-impacting but local-only vulnerability.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46252 requires local system access and privileged user context (as indicated by PR:L in the CVSS vector). Remote exploitation is not possible.
Does this vulnerability allow privilege escalation?
No. While the vulnerability requires elevated privileges to trigger, it does not grant additional privileges. A privileged user could abuse it to cause a denial of service, but cannot leverage it to escalate from unprivileged to root access.
Which systems are most at risk?
Systems with complex power management requirements, embedded Linux deployments, IoT devices, and environments where power supply regulator failures might occur or where untrusted kernel modules are loaded. Standard server deployments with stable power supplies face lower practical risk, though they remain technically vulnerable until patched.
Is there a workaround for systems that cannot be patched immediately?
There is no complete workaround. Mitigation strategies include: disabling untrusted kernel module loading where possible; avoiding dynamic power regulator changes in production; and minimizing scenarios that trigger regulator initialization failures. However, these are incomplete; kernel patching remains the definitive remediation.
This analysis is based on the official CVE-2026-46252 description and CVSS v3.1 score provided by the National Vulnerability Database and Linux kernel project. No actual exploitation code is provided. Patch version numbers and affected product details must be verified against official vendor advisories (Red Hat, Canonical, SUSE, etc.) before deployment. Organizations should test patches in staging environments before production rollout. This assessment does not constitute professional security advice and should be combined with your organization's risk management framework and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46156MEDIUMLinux Kernel Loongson GPU Driver ADE Panic on Loongarch
- CVE-2026-46165MEDIUMLinux Kernel Open vSwitch Vport Deadlock Denial of Service
- CVE-2026-46223MEDIUMLinux Kernel Cgroup Deadlock During Container Teardown
- CVE-2026-46256MEDIUMLinux NFS LOCALIO Recursion Deadlock Vulnerability
- CVE-2026-46262MEDIUMLinux Kernel fsl_xcvr Audio Driver Deadlock Vulnerability
- CVE-2026-46112HIGHLinux HNS RDMA Driver Locking Bug Enables Local Privilege Escalation
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout