CVE-2026-23452 Overview
A race condition vulnerability has been identified in the Linux kernel's Power Management (PM) runtime subsystem. The vulnerability exists in the pm_runtime_work() function, where a use-after-free condition can occur during device removal operations. When a parent device is freed while a child device's power management work is still in progress, the code may dereference the dev->parent pointer after the parent device memory has already been released.
Critical Impact
This vulnerability can lead to kernel memory corruption, potential system instability, and in certain scenarios could be leveraged for privilege escalation or denial of service attacks on affected Linux systems.
Affected Products
- Linux Kernel (multiple stable branches affected)
- Systems using SCSI device hot-plug functionality
- Systems with active PM runtime device management
Discovery Timeline
- 2026-04-03 - CVE-2026-23452 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23452
Vulnerability Analysis
This use-after-free vulnerability arises from improper synchronization between the PM runtime workqueue and device removal operations. The vulnerable code path in pm_runtime_work() attempts to check and potentially idle a parent device after completing work on a child device. The critical issue occurs when the parent device is removed and freed between the time the child's power lock is released and the parent's power lock is acquired.
The race window exists because the code releases dev->power.lock, then attempts to acquire parent->power.lock. During this brief unlocked period, another thread (such as a device removal triggered via sysfs) can free the parent device structure, leaving the PM runtime worker with a dangling pointer.
The KASAN (Kernel Address Sanitizer) output reveals a slab-use-after-free condition when lock_acquire attempts to read from freed memory at the parent device's power lock address. The vulnerability was specifically triggered by the blktest block/001 test, which exercises SCSI device hot-plug scenarios.
Root Cause
The root cause is insufficient synchronization between concurrent device removal and PM runtime operations. The pm_runtime_remove() function did not properly wait for pending PM runtime work to complete before allowing the device structure to be freed. This creates a classic Time-of-Check Time-of-Use (TOCTOU) race condition where the validity of the parent pointer is not guaranteed across lock boundaries.
The fix addresses this by inserting a flush_work() call in pm_runtime_remove(), ensuring that any pending PM runtime work associated with the device completes before the device removal proceeds.
Attack Vector
The vulnerability is triggered through local device management operations, specifically during rapid device addition and removal sequences. An attacker with local access could potentially exploit this by:
- Initiating device removal via sysfs (/sys/class/scsi_device/*/device/delete)
- Timing the removal to coincide with PM runtime work processing
- Triggering the race condition to cause use-after-free memory access
The exploitation requires precise timing and repeated attempts due to the race condition nature. The KASAN trace shows the memory was allocated during scsi_alloc_target() and freed during scsi_target_dev_release(), with the PM runtime worker accessing the freed memory through the rpm_idle() → rpm_suspend() call path.
Detection Methods for CVE-2026-23452
Indicators of Compromise
- KASAN reports showing "slab-use-after-free" in lock_acquire with pm_runtime_work in the call trace
- Kernel panic or oops messages referencing PM runtime functions (rpm_suspend, rpm_idle, pm_runtime_work)
- Unexplained system crashes during device hot-plug operations, particularly with SCSI devices
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in debug kernels to detect use-after-free conditions in real-time
- Monitor kernel logs for PM runtime-related warnings or errors using patterns like pm_runtime_work, rpm_suspend, or rpm_idle
- Run blktest block/001 or similar device hot-plug stress tests in controlled environments to verify kernel patching status
Monitoring Recommendations
- Deploy kernel instrumentation to track PM runtime workqueue operations and device removal events
- Implement monitoring for unusual patterns in device hot-plug activity that could indicate exploitation attempts
- Configure alerting for KASAN or other memory sanitizer detections in kernel logs
How to Mitigate CVE-2026-23452
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix (see patch commits below)
- If immediate patching is not possible, avoid rapid device hot-plug operations on production systems
- Enable KASAN in development and test environments to catch similar race conditions
Patch Information
The vulnerability has been fixed in multiple stable kernel branches. The fix introduces a flush_work() call in pm_runtime_remove() to ensure pending PM runtime work completes before device removal proceeds.
Patches are available from the following kernel git commits:
- Kernel Git Commit 29ab768
- Kernel Git Commit 39f2d86
- Kernel Git Commit 5649b46
- Kernel Git Commit bb081fd
- Kernel Git Commit c6febaac
- Kernel Git Commit cf65a77c
Workarounds
- Limit or disable SCSI device hot-plug operations on systems where kernel updates cannot be immediately applied
- Implement rate limiting on sysfs device management operations to reduce the likelihood of hitting the race window
- Use kernel lockdown or restrict access to device management sysfs interfaces to trusted administrators only
# Check current kernel version
uname -r
# Verify if your kernel includes the fix by checking git commit history
# or comparing against patched kernel versions from your distribution
# Restrict access to SCSI device management (temporary mitigation)
chmod 600 /sys/class/scsi_device/*/device/delete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
