CVE-2026-45879 Overview
CVE-2026-45879 is a use-after-free vulnerability in the Linux kernel's bq25980 battery charger power supply driver. The flaw stems from incorrect ordering of devm_ managed resource allocations during driver initialization. The driver requests its interrupt (IRQ) before allocating and registering the power_supply handle, which causes the handle to be freed before the IRQ handler is unregistered during device removal. This creates a race condition where an interrupt can fire after the power_supply handle is deallocated but before the IRQ handler is removed.
Critical Impact
An IRQ fired during driver teardown calls power_supply_changed() on a freed power_supply handle, leading to system crashes or silent memory corruption on affected Linux systems using the bq25980 charger.
Affected Products
- Linux kernel versions containing the bq25980 power supply driver prior to the fix
- Linux stable branches receiving backports across multiple commits
- Embedded and mobile Linux devices using the Texas Instruments BQ25980 battery charger IC
Discovery Timeline
- 2026-05-27 - CVE-2026-45879 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45879
Vulnerability Analysis
The vulnerability resides in the bq25980 battery charger driver under drivers/power/supply/. The driver uses Linux's device-managed (devm_) resource API, which automatically releases resources in reverse order of allocation when a device is removed. Because the driver requested the IRQ via devm_request_threaded_irq() before registering the power_supply class device with devm_power_supply_register(), the deallocation order during removal frees the power_supply structure before the IRQ is unregistered.
If the charger asserts an interrupt during this narrow window, the threaded IRQ handler invokes power_supply_changed() with a dangling pointer to a freed object. The result is a use-after-free condition [CWE-416] that can crash the kernel or corrupt arbitrary memory depending on how the freed allocation has been reused.
Root Cause
The root cause is incorrect ordering of devm_ managed resource lifetimes. Devres unwinds in last-in, first-out order, so an IRQ registered first is freed last. The power_supply handle that the IRQ handler dereferences becomes invalid before the IRQ source is silenced. A similar uninitialized-use hazard exists during probe() if an interrupt fires before power_supply registration completes.
Attack Vector
Triggering the condition requires a charger interrupt to fire during driver unbind or early probe. This is generally a local, hardware-driven race observable during module unload, system suspend/resume, hot-unplug, or boot. The vulnerability primarily affects availability and memory integrity on devices that integrate the bq25980 charger. No network attack vector is documented, and no public proof of concept or in-the-wild exploitation has been reported. The EPSS data indicates a low probability of exploitation.
The upstream fix reorders initialization so that devm_request_threaded_irq() runs only after devm_power_supply_register() succeeds. See the patch commits referenced under Kernel Git Commit 4aeaf03 and Kernel Git Commit 86f93df for the corrected ordering.
Detection Methods for CVE-2026-45879
Indicators of Compromise
- Kernel oops or panic referencing power_supply_changed in the call stack during module unload or device unbind
- KASAN reports flagging use-after-free reads inside the bq25980 driver path
- Unexpected reboots on devices with the BQ25980 charger correlated with charger plug/unplug events
Detection Strategies
- Run kernels built with CONFIG_KASAN=y in test environments to surface the use-after-free at runtime
- Audit loaded kernel modules for bq25980 and verify the running kernel includes one of the stable fix commits listed in the references
- Inspect dmesg and persistent crash logs (pstore, kdump) for bq25980_irq_handler_thread or power_supply_changed frames near free operations
Monitoring Recommendations
- Forward kernel logs and crash dumps to a centralized log platform for correlation across fleets of embedded or mobile Linux devices
- Track kernel package versions across managed Linux endpoints to identify hosts running pre-patch builds
- Alert on repeated charger driver interrupts coinciding with driver unbind or suspend transitions
How to Mitigate CVE-2026-45879
Immediate Actions Required
- Apply the upstream Linux kernel patches that reorder IRQ registration after power_supply registration in the bq25980 driver
- Update to a stable kernel release that incorporates the fix commits referenced by kernel.org
- For vendor kernels, request and deploy backports from the device or distribution maintainer
Patch Information
The vulnerability is fixed across multiple stable branches. Relevant commits include Kernel Git Commit 03d1e4e, Kernel Git Commit 0560a4b, Kernel Git Commit 0de95d2, Kernel Git Commit 16875e3, Kernel Git Commit 4aeaf03, Kernel Git Commit 5f0b1cb, Kernel Git Commit 86f93df, and Kernel Git Commit abea607. The fix moves devm_request_threaded_irq() to execute after devm_power_supply_register() returns successfully.
Workarounds
- Blacklist the bq25980 kernel module on systems where the charger driver is not strictly required
- Avoid unbinding or unloading the bq25980 module on production devices until a patched kernel is deployed
- Restrict physical and administrative access that could trigger repeated driver bind/unbind cycles
# Verify whether the bq25980 driver is loaded and check kernel version
lsmod | grep bq25980
uname -r
# Optional: blacklist the module until a patched kernel is installed
echo "blacklist bq25980" | sudo tee /etc/modprobe.d/blacklist-bq25980.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
