MEDIUM 5.5

CVE-2026-46292: Linux Kernel genpd Virtual Device Detachment Denial-of-Service

A Linux kernel vulnerability in the power domain management (genpd) subsystem leaves virtual devices with runtime PM incorrectly enabled after detachment. When drivers use genpd_dev_pm_attach_by_id() to register virtual devices, the kernel enables runtime PM for them but fails to disable it when those devices detach. This leaves the system in an inconsistent state that can trigger NULL pointer dereferences or cause the kernel to unnecessarily vote for higher performance states. The fix adds a missing pm_runtime_disable() call during device detachment to restore proper state management.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-772
Affected products
3 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: pmdomain: core: Fix detach procedure for virtual devices in genpd If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(), genpd calls pm_runtime_enable() for the corresponding virtual device that it registers. While this avoids boilerplate code in drivers, there is no corresponding call to pm_runtime_disable() in genpd_dev_pm_detach(). This means these virtual devices are typically detached from its genpd, while runtime PM remains enabled for them, which is not how things are designed to work. In worst cases it may lead to critical errors, like a NULL pointer dereference bug in genpd_runtime_suspend(), which was recently reported. For another case, we may end up keeping an unnecessary vote for a performance state for the device. To fix these problems, let's add this missing call to pm_runtime_disable() in genpd_dev_pm_detach().

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the Linux kernel's generic power domain (genpd) framework, specifically in the device detachment flow. When genpd_dev_pm_attach_by_id() registers a virtual device, it calls pm_runtime_enable() to avoid requiring boilerplate in driver code. However, the corresponding genpd_dev_pm_detach() function omits the matching pm_runtime_disable() call. This asymmetry leaves the device with runtime PM enabled even after detachment from the power domain, violating the subsystem's design invariants. Consequences include potential NULL pointer dereference in genpd_runtime_suspend() and stale performance state votes that prevent appropriate power transitions. The resolution is to invoke pm_runtime_disable() during detachment to fully restore the device to a disabled state.

Business impact

Organizations running Linux kernel-based systems hosting hotpluggable or modular virtual devices may experience unexpected kernel crashes or degraded power efficiency. Systems that dynamically attach and detach PM domain–managed devices (common in SoC platforms, server virtualization, and embedded systems) face risk of NULL pointer dereference panics during suspend cycles or performance state transitions. Even where crashes do not occur, stale performance state votes can prevent lower power modes, increasing energy consumption and operational costs. The medium CVSS score reflects local attack surface and denial-of-service potential rather than privilege escalation or data exposure.

Affected systems

All Linux kernel versions that include the genpd power domain framework are theoretically affected. Practical exposure depends on kernel version, SoC platform, and whether drivers use the genpd_dev_pm_attach_by_id() interface to register virtual power-domain-managed devices. This is most prevalent in modern ARM SoCs, Qualcomm platforms, MediaTek chips, and server hardware with dynamic power domain management. Systems with static device trees or those not leveraging virtual device attachment are unaffected. Consult your Linux distribution and hardware vendor for specific version applicability.

Exploitability

Exploitation requires local system access and the ability to trigger device detachment and reattachment cycles, typically through module unload, device hotplug, or suspend-resume sequences. No remote exploitation vector exists. An unprivileged user with shell access can induce the fault by manipulating sysfs power management interfaces or reloading kernel modules that register genpd virtual devices. The vulnerability manifests as a denial-of-service (system panic) rather than privilege escalation; however, local users can reliably crash the kernel, making mitigation important in multi-tenant or untrusted-user environments.

Remediation

Apply a kernel patch that adds pm_runtime_disable() to the genpd_dev_pm_detach() function. This is a localized, low-risk code addition that restores symmetry between attach and detach operations. The fix does not alter kernel APIs or require driver changes. Verify the patch is present in your kernel version by checking the genpd core implementation or consulting your distribution's advisory. For vendors, backporting this fix to supported stable kernel branches is recommended.

Patch guidance

Obtain the kernel patch from your Linux distribution's update channel or from kernel.org stable branch releases. The fix is a small addition to the genpd core and carries low regression risk. Rebuild and reboot the kernel after patching. No driver or application changes are required. Verify successful patching by confirming the pm_runtime_disable() call is present in drivers/powerdomain/core.c or equivalent (exact path varies by kernel version). Test on non-production systems with hardware that uses genpd virtual devices before rolling out to production to confirm stability in your specific configuration.

Detection guidance

Monitor system logs for NULL pointer dereference panics in genpd_runtime_suspend() or related genpd code paths. Tools like systemtap or kernel tracing (ftrace) can log device attach/detach and runtime PM state transitions. Check sysfs power domain and runtime PM state files (/sys/devices/.../power/) for devices that show runtime PM enabled after detachment (anomalous state). If you control the kernel build, compile with CONFIG_PM_DEBUG=y to enable verbose power management logging. Forensic analysis of crash dumps may reveal stack traces pinpointing genpd virtual device detachment as the triggering event.

Why prioritize this

Prioritize patching based on your use of genpd-managed virtual devices and suspend-resume frequency. Systems that frequently hotplug or reload drivers managing power domains should patch immediately to avoid production outages. Low-priority for static, non-suspend systems. The CVSS 5.5 (MEDIUM) reflects denial-of-service risk; the practical severity depends on your workload and hardware platform.

Risk score, explained

CVSS 3.1 score of 5.5 (MEDIUM) accounts for: local-only attack surface (AV:L), low complexity (AC:L), requirement for local user privileges (PR:L), no user interaction (UI:N), single security context impact (S:U), no confidentiality or integrity loss (C:N/I:N), and high availability impact (A:H—kernel panic). The score appropriately reflects denial-of-service severity while excluding remote or high-privilege scenarios. It does not capture indirect business impact (power efficiency loss) but correctly emphasizes system stability risk.

Frequently asked questions

Will this vulnerability affect my system if I use static kernel configurations and never hotplug devices?

No. The vulnerability only manifests when drivers dynamically attach and detach virtual devices to genpd using genpd_dev_pm_attach_by_id(). Systems with static device trees and no module reloading are unaffected. Consult your kernel configuration and driver list to confirm you do not use this attach pattern.

Is a reboot required to patch this vulnerability?

Yes. Since this is a kernel vulnerability, a kernel patch must be compiled into a new kernel image and the system must be rebooted to activate the fix. Live patching with kpatch may be possible on some distributions if enabled, but standard practice is to reboot after kernel update.

Can unprivileged users exploit this, or is root access required?

Unprivileged local users can trigger the fault if they have access to sysfs power management interfaces or if they can load/unload kernel modules that register genpd virtual devices. Some systems restrict these operations to root, but the vulnerability itself does not require root privilege—only local system access. Tighten access controls on /sys/devices/.../power/ if your security model requires this.

What is the difference between this and a typical use-after-free vulnerability?

This is an improper resource cleanup bug (CWE-772) rather than use-after-free. The device object itself is freed correctly, but the runtime PM subsystem is left in an incorrect enabled state, leading to dangling references and incorrect behavior in subsequent operations. It is more subtle and harder to exploit than use-after-free, but still causes system instability.

This analysis is provided for informational purposes and reflects the vulnerability as described in the provided ground-truth data. No exploit code or weaponization techniques are included. Patch availability, version applicability, and specific product support timelines should be verified directly with your Linux distribution vendor and hardware manufacturer. The CVSS score and severity rating are as provided and should not be modified without reference to NVD or vendor advisories. Testing patches in non-production environments is strongly recommended before production deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).