CVE-2026-23186 Overview
A deadlock vulnerability has been identified in the Linux kernel's acpi_power_meter hardware monitoring driver. The issue occurs within the acpi_power_meter_notify() callback function, which improperly calls hwmon_device_unregister() while holding a lock that is also acquired by callbacks in sysfs attributes of the device being unregistered. This creates a deadlock condition between sysfs access and device removal operations.
Critical Impact
Systems running affected Linux kernel versions may experience system hangs or unresponsive behavior when the ACPI power meter hardware monitoring subsystem processes device notifications, potentially leading to denial of service conditions.
Affected Products
- Linux kernel with acpi_power_meter hwmon driver enabled
- Systems using ACPI power metering functionality
- Enterprise servers and workstations with ACPI power management hardware
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23186 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23186
Vulnerability Analysis
This vulnerability represents a classic deadlock race condition in the Linux kernel's hardware monitoring subsystem. The acpi_power_meter driver implements a notification callback (acpi_power_meter_notify()) that handles various ACPI notifications including device configuration changes. When processing METER_NOTIFY_CONFIG notifications, the function attempts to unregister the hwmon device while holding an internal lock.
The problem arises because the same lock is required by sysfs attribute callbacks that may be executing concurrently during device access. This creates a circular dependency where the notification handler waits for sysfs operations to complete (which need the lock), while sysfs operations wait for the lock held by the notification handler.
Additionally, the fix addresses a secondary race condition where two concurrent METER_NOTIFY_CONFIG notifications could attempt to remove the same device simultaneously, potentially causing use-after-free or double-free conditions.
Root Cause
The root cause is improper lock ordering and scope in the acpi_power_meter_notify() function. The original implementation called hwmon_device_unregister() within a critical section protected by a lock that is shared with sysfs attribute callbacks. This violates the lock ordering principle and creates conditions for deadlock.
The fix involves:
- Moving hwmon_device_unregister() outside the inner lock scope
- Adding a new static mutex to serialize the entire switch statement in acpi_power_meter_notify()
- Protecting hwmon_device_register_with_info() with the outer lock to prevent concurrent manipulation of the resource object
- Adding error checking for hwmon_device_register_with_info() failures to prevent unregistration of error pointers
Attack Vector
This vulnerability has a local attack vector. An attacker with local access could potentially trigger the deadlock condition by manipulating ACPI notifications or timing sysfs accesses to coincide with device removal events. The attack requires the ability to interact with the ACPI subsystem or generate specific hardware events.
The vulnerability manifests through the interaction between the notification callback and sysfs attribute access. When a METER_NOTIFY_CONFIG notification is received, the driver attempts to unregister and potentially re-register the hwmon device. If a user-space process is simultaneously reading sysfs attributes (such as power measurements), the deadlock occurs when both code paths attempt to acquire the same lock.
For technical details on the fix implementation, see the kernel git commits referenced in this advisory.
Detection Methods for CVE-2026-23186
Indicators of Compromise
- System hangs or freezes during ACPI power meter device operations
- Kernel soft lockup warnings in system logs mentioning acpi_power_meter functions
- Processes stuck in uninterruptible sleep (D state) when accessing /sys/class/hwmon/ paths related to power meters
- Watchdog timer events triggered by kernel deadlocks
Detection Strategies
- Monitor kernel logs for soft lockup messages containing acpi_power_meter_notify or related function names
- Implement system monitoring to detect processes stuck in D state for extended periods
- Use kernel lockdep debugging (if enabled) to identify potential deadlock scenarios
- Monitor for increased system load or unresponsive hwmon interfaces
Monitoring Recommendations
- Enable kernel lockdep debugging in development/testing environments to proactively identify lock ordering issues
- Configure watchdog timers to detect and respond to system hangs
- Implement monitoring for sysfs access latency to hwmon devices
- Set up alerting for kernel soft lockup warnings in production environments
How to Mitigate CVE-2026-23186
Immediate Actions Required
- Update to a patched Linux kernel version that includes the deadlock fix
- If immediate patching is not possible, consider disabling the acpi_power_meter module if not required
- Limit access to hwmon sysfs interfaces to reduce potential attack surface
- Monitor systems for signs of deadlock or system instability
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix introduces proper lock ordering by moving device unregistration outside the inner lock scope and adding a new serialization mutex. The patches are available through the kernel stable branches:
Apply the appropriate kernel update for your distribution to remediate this vulnerability.
Workarounds
- Blacklist or unload the acpi_power_meter kernel module if ACPI power metering functionality is not required
- Restrict access to hwmon sysfs interfaces using appropriate file permissions or SELinux/AppArmor policies
- Avoid automated monitoring scripts that frequently poll power meter sysfs attributes until patched
- Consider using alternative power monitoring mechanisms if available
# Temporarily disable the acpi_power_meter module
sudo modprobe -r acpi_power_meter
# Blacklist the module to prevent loading at boot
echo "blacklist acpi_power_meter" | sudo tee /etc/modprobe.d/blacklist-acpi-power-meter.conf
# Verify the module is not loaded
lsmod | grep acpi_power_meter
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
