HIGH 8.4

CVE-2026-46270: Linux Kernel RT9455 Power Supply Use-After-Free Vulnerability

A use-after-free vulnerability exists in the Linux kernel's RT9455 power supply driver. The bug stems from improper resource cleanup ordering during driver removal: an interrupt handler can fire after the power supply device has been deallocated but before the interrupt itself is disabled, causing the handler to reference freed memory. This can crash the system or corrupt kernel memory. The vulnerability can also manifest during driver initialization if an interrupt fires before the power supply is fully registered.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46270 is a use-after-free flaw in drivers/power/supply/rt9455.c related to Linux kernel resource deallocation semantics. The rt9455 driver uses `devm_request_irq()` before `devm_power_supply_register()`. Since devm cleanup runs in reverse allocation order, the power_supply handle is freed before the IRQ handler is unregistered. During driver removal, a race condition allows the interrupt handler to invoke `power_supply_changed()` with a dangling pointer. Additionally, during probe, an interrupt may fire before power_supply registration completes, leading to use of an uninitialized handle. The fix reorders IRQ registration to occur after power supply registration, eliminating the race window. This affects the rt9455 charger/fuel gauge driver specifically.

Business impact

Systems running affected Linux kernel versions with the RT9455 power supply driver (commonly found in ARM-based embedded devices, SBCs, and some laptop/tablet hardware) face kernel-level stability and security risks. Exploitation can cause unexpected system crashes during driver removal or power state transitions, impacting device availability. In devices managing critical power functions (battery management, charging), this instability could lead to data loss or unsafe power-down scenarios. While not remotely exploitable, local attackers or unprivileged users who can trigger driver removal or power supply events may induce denial-of-service conditions.

Affected systems

The vulnerability affects Linux kernel installations with the RT9455 power supply driver. This driver manages battery charging and fuel gauge functionality on devices with Richtek RT9455 or compatible PMICs. Affected platforms typically include ARM-based embedded systems, single-board computers, and certain laptop/tablet models. Desktop and server deployments are unlikely to be affected unless they include legacy RT9455-compatible hardware. The scope is limited to systems where this specific driver is compiled in (rather than modular) or loaded as a module during runtime.

Exploitability

Exploitability is limited to local attack scenarios. An attacker must have the ability to trigger driver removal (e.g., via device unbind) or ensure precise timing of power supply state changes to race the condition. No remote vector exists. Unprivileged users on affected systems may trigger the vulnerability through power management operations (suspend/resume, charger hotplug events). However, the race window is narrow and non-deterministic, making reliable exploitation difficult. The CVSS score of 8.4 reflects the severity of consequences (memory corruption, crash) rather than ease of trigger; actual real-world exploitation requires local access and careful timing.

Remediation

Apply kernel patches that reorder devm resource allocation so that `devm_request_irq()` is called after `devm_power_supply_register()`. This ensures IRQ cleanup precedes power_supply deallocation, eliminating the use-after-free race. Additionally, add NULL-checks or synchronization guards in the interrupt handler to safely handle edge cases during probe/removal sequences. Users should upgrade to patched kernel versions and rebuild/redeploy systems running affected configurations.

Patch guidance

Verify the kernel version running on affected systems against vendor security advisories. Patches are expected in stable kernel releases following the upstream fix merge. Distribution maintainers (Red Hat, Debian, Ubuntu, etc.) will backport patches to their supported kernel branches. For devices using proprietary or vendor-specific kernels, contact the device manufacturer or SoC vendor for updated kernel images. If the rt9455 driver is not used (verify via `lsmod | grep rt9455` or kernel config), no action is required for this specific CVE.

Detection guidance

Monitor system logs for kernel panics, oops messages, or memory corruption errors occurring during power supply driver removal or power state transitions. Look for stack traces mentioning rt9455, power_supply_changed(), or devm cleanup routines. On systems where rt9455 is active, enable kernel debugging (CONFIG_DEBUG_KMEMLEAK, CONFIG_KASAN) in test environments to catch UAF conditions earlier. Runtime inspection: `cat /proc/modules | grep rt9455` confirms if the driver is loaded; cross-reference against vulnerable kernel versions. Kernel address sanitizer (KASAN) builds will reliably flag UAF attempts if configured.

Why prioritize this

Prioritize patching based on deployment criticality and hardware inventory. Systems using RT9455-based chargers (most common on ARM SBCs, ChromeOS devices, and certain Qualcomm Snapdragon platforms) should be updated promptly, particularly if power management or frequent driver load/unload cycles are common. The HIGH CVSS score (8.4) reflects memory corruption impact, though local-only exploitability means it is lower priority than remotely-exploitable flaws. However, kernel stability is foundational; any kernel memory corruption bug merits rapid remediation in production.

Risk score, explained

CVSS 3.1 score of 8.4 (HIGH) reflects: Attack Vector Local (reduces score), Attack Complexity Low (no special conditions needed once triggered), Privileges Required None (unprivileged users can trigger), User Interaction None (automatic via race), Scope Unchanged (confined to single system), and Confidentiality/Integrity/Availability all High (memory corruption impacts all three). The score does not account for the narrow exploitation window; CVSS assumes worst-case conditions. In practice, exploitation difficulty is higher than the numeric score suggests, making this a moderate-to-high practical risk rather than critical.

Frequently asked questions

Does this affect my device if I don't use Richtek RT9455 chargers?

No. This vulnerability is specific to the RT9455 power supply driver. If your device uses a different charger IC or power management solution, verify your driver name via `lsmod` or your device documentation. If rt9455 is not listed, this CVE does not apply.

Can this be exploited remotely or over the network?

No. This is a local-only vulnerability requiring direct access to the system. It cannot be triggered remotely via network, USB, or other remote interfaces. However, unprivileged users on the device can potentially trigger the condition.

What happens if the vulnerability is triggered?

The system may crash (kernel panic), exhibit memory corruption, or enter an unstable state. The exact outcome depends on kernel configuration and timing. Critical data loss or unsafe shutdown is possible in power-managed devices.

How urgent is this patch?

If your device uses RT9455 hardware and is in active use, patch within your normal security update cycle (typically 30-60 days for critical infrastructure). Standalone/embedded devices rarely need immediate action unless they are exposed to untrusted users with local access.

This analysis is based on publicly available CVE data as of the publication date. Patch availability and timelines vary by Linux distribution and device manufacturer. Organizations should verify compatibility of patches with their specific kernel version and hardware configuration before deployment. No exploit code or weaponized proof-of-concept is provided. This document does not constitute legal or compliance advice. SEC.co makes no warranties regarding patch effectiveness or system stability post-remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).