CVE-2026-31740 Overview
CVE-2026-31740 is a race condition vulnerability in the Linux kernel rz-mtu3-cnt counter driver. The flaw arises because the counter and PWM sub-drivers both write to the shared dev member of struct rz_mtu3_channel for hardware channels 1 and 2. Each sub-driver overwrites the other's struct device pointer, leaving the counter sub-driver to perform runtime power management actions on the wrong device depending on probe order. The issue affects Linux kernel versions through 7.0-rc6 on systems using the Renesas RZ MTU3 hardware. Successful exploitation requires local access with low privileges and impacts system availability.
Critical Impact
A local authenticated attacker can trigger incorrect runtime power management on a mismatched device, leading to kernel-level denial of service on affected Renesas RZ platforms.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Systems using the Renesas RZ MTU3 counter and PWM drivers
Discovery Timeline
- 2026-05-01 - CVE-2026-31740 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31740
Vulnerability Analysis
The Linux kernel rz-mtu3-cnt counter driver shares hardware channel state with the rz-mtu3-pwm PWM driver through the struct rz_mtu3_channel structure. The counter driver uses hardware channels 1 and 2, while the PWM driver uses channels 0, 1, 2, 3, 4, 6, and 7. Both sub-drivers overlap on channels 1 and 2.
During probe, each sub-driver assigns its own struct device pointer to the shared dev member of struct rz_mtu3_channel. The second driver to probe overwrites the value set by the first. The counter sub-driver later dereferences this dev member to issue runtime power management calls.
When probe order causes the PWM driver to probe last, the counter driver invokes runtime PM operations against the PWM device instead of its own. This produces inconsistent power state transitions and can stall hardware activity tied to the counter subsystem.
Root Cause
The root cause is a shared mutable field in a structure used concurrently by two independent sub-drivers without coordinated ownership. Neither driver tracks whether the dev pointer already belongs to a peer driver, so the last writer wins. This is a design-level race condition between sub-driver probe paths rather than a classic concurrent-access TOCTOU.
Attack Vector
Exploitation requires local access with low privileges on a system running the affected drivers. An attacker with the ability to load, unload, or trigger probe of the rz-mtu3-cnt and rz-mtu3-pwm modules can influence probe ordering. By forcing the counter driver to use a stale or wrong struct device, runtime PM actions hit the wrong subsystem and can render the counter device unresponsive. Confidentiality and integrity are not affected; the impact is limited to availability of the affected hardware path.
The upstream fix replaces the use of the shared dev member with the parent device pointer of the counter, which is assigned correctly during probe and is not shared with the PWM driver.
Detection Methods for CVE-2026-31740
Indicators of Compromise
- Unexpected runtime PM state transitions logged against the rz-mtu3-pwm device when only counter operations are active.
- Kernel messages indicating counter device hangs or unresponsive MTU3 channels 1 or 2.
- Module load order anomalies where rz-mtu3-pwm consistently probes after rz-mtu3-cnt on affected platforms.
Detection Strategies
- Audit kernel logs (dmesg, journalctl -k) for runtime PM errors referencing rz-mtu3 devices.
- Compare installed kernel version against the patched commits listed in the upstream stable trees.
- Monitor for abnormal device probe sequences via udevadm monitor on Renesas RZ-based systems.
Monitoring Recommendations
- Track kernel package versions across Linux fleets and flag hosts running unpatched stable branches.
- Forward kernel logs to a centralized log platform and alert on rz-mtu3 runtime PM warnings.
- Validate that embedded and industrial deployments using Renesas RZ silicon are inventoried and included in patch cycles.
How to Mitigate CVE-2026-31740
Immediate Actions Required
- Identify Linux hosts using the rz-mtu3-cnt and rz-mtu3-pwm drivers, typically Renesas RZ-based embedded and industrial systems.
- Apply the upstream stable kernel update containing the fix from the Linux kernel git tree.
- Restrict local access and module-loading capability to trusted administrators where patching is delayed.
Patch Information
The vulnerability is resolved in upstream stable branches. Reference the fix commits: 28a371b, 2932095, 633dfbf, 63be324, and 6562290. The fix uses the counter's parent device pointer for runtime PM rather than the shared struct rz_mtu3_channeldev member.
Workarounds
- Disable the rz-mtu3-cnt or rz-mtu3-pwm driver if the corresponding functionality is not required on the deployed system.
- Constrain module loading via kernel module signing and modprobe configuration to prevent untrusted users from influencing probe order.
- Limit CAP_SYS_MODULE to administrative accounts only.
# Verify whether the affected drivers are loaded
lsmod | grep rz_mtu3
# Check current kernel version against patched stable releases
uname -r
# Optionally blacklist the counter module if unused
echo "blacklist rz_mtu3_cnt" | sudo tee /etc/modprobe.d/blacklist-rz-mtu3-cnt.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
