A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45916

CVE-2026-45916: Linux Kernel Use-After-Free Vulnerability

CVE-2026-45916 is a use-after-free flaw in the Linux kernel's sbs-battery power supply driver that can cause system crashes or memory corruption. This article covers the technical details, affected versions, and patches.

Published: May 28, 2026

CVE-2026-45916 Overview

CVE-2026-45916 is a use-after-free vulnerability in the Linux kernel's Smart Battery System (SBS) battery driver located at drivers/power/supply/sbs-battery.c. The flaw stems from an incorrect ordering of device-managed (devm_) resource allocations during driver initialization. The interrupt request handler is registered before the power_supply handle is allocated, causing the power_supply structure to be freed before the IRQ handler is unregistered during driver removal. An interrupt firing during this window invokes power_supply_changed() with a freed handle, leading to memory corruption or a system crash.

Critical Impact

A race condition between IRQ handling and driver removal can trigger a use-after-free in power_supply_changed(), resulting in kernel memory corruption or system crashes on devices using the SBS battery driver.

Affected Products

  • Linux kernel versions containing the sbs-battery driver prior to the fix
  • Systems using Smart Battery System (SBS) compliant hardware
  • Embedded and mobile Linux platforms relying on power_supply subsystem with devm_ IRQ registration

Discovery Timeline

  • 2026-05-27 - CVE-2026-45916 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45916

Vulnerability Analysis

The vulnerability resides in the SBS battery driver's probe routine. The driver uses the device-managed resource API (devm_) to request both an interrupt handler and to allocate the power_supply structure. Linux's devm_ framework releases resources in reverse order of allocation. When IRQ registration occurs before power_supply registration, the power_supply handle is torn down first on driver removal, leaving a live IRQ handler that references freed memory.

During the removal window, a hardware interrupt from the battery controller can invoke the registered handler. The handler then calls power_supply_changed() using a pointer to a deallocated power_supply structure. This dereferences freed kernel memory and typically results in a kernel oops, panic, or silent heap corruption.

A secondary condition exists during probe(): an interrupt may fire after IRQ registration but before the power_supply handle is fully initialized, causing power_supply_changed() to operate on uninitialized memory.

Root Cause

The root cause is incorrect lifecycle ordering of managed kernel resources. The devm_ IRQ request is issued before devm_power_supply_register(), violating the invariant that the IRQ handler must not outlive the data it operates on. This is a classic use-after-free pattern triggered by resource teardown ordering.

Attack Vector

Triggering the race requires local hardware-adjacent conditions on systems with an SBS battery device. The race window opens during driver unbind, module removal, or system shutdown when a battery interrupt fires concurrently with the teardown of the power_supply registration. Exploitation primarily manifests as denial of service through kernel crashes, though kernel memory corruption could be leveraged for further impact under specific conditions.

No verified public exploit code is available. Refer to the upstream kernel commits listed in the references for the patch implementation details.

Detection Methods for CVE-2026-45916

Indicators of Compromise

  • Unexpected kernel oops or panic messages referencing power_supply_changed, sbs_battery, or power_supply in dmesg or system logs
  • KASAN (Kernel Address Sanitizer) reports flagging use-after-free in the power_supply subsystem on kernels built with sanitizer support
  • Spontaneous reboots or hangs on devices using SBS-compliant batteries during driver unload or suspend/resume cycles

Detection Strategies

  • Audit running kernel versions against the fixed commits referenced in Kernel Git Commit 14d4dee5d8fb and related stable backports
  • Inspect kernel crash dumps for stack traces involving power_supply_changed() invoked from an IRQ context after driver removal
  • Enable KASAN on test systems to surface the use-after-free deterministically during driver unbind testing

Monitoring Recommendations

  • Centralize kernel logs from Linux endpoints and alert on kernel oops, BUG, or KASAN report patterns referencing the power_supply subsystem
  • Track kernel package versions across the fleet to confirm patched builds are deployed on systems with battery hardware
  • Monitor for repeated unscheduled reboots on laptops, tablets, and embedded devices that may indicate the race is being hit in production

How to Mitigate CVE-2026-45916

Immediate Actions Required

  • Apply the upstream Linux kernel patches referenced in the stable tree commits and rebuild affected kernels
  • Update to a distribution kernel package that includes the fix once vendors publish backports
  • Inventory systems that load the sbs_battery driver and prioritize them for patching

Patch Information

The fix reorders driver initialization so the IRQ is requested after the power_supply handle is registered. This ensures the IRQ handler is torn down before the power_supply structure is freed during driver removal. The patch also preserves graceful behavior by logging a warning and completing probe successfully if the IRQ request fails. Patched commits are available in the upstream stable tree, including 14d4dee5d8fb, 2078830c32d1, 8010b745b436, 82d3eb97a976, 861dda7a9074, 8d59cf3887fb, ca7dd71773e4, and f1f472b14ad5.

Workarounds

  • Where the SBS battery driver is not required, blacklist the sbs_battery kernel module to prevent the vulnerable code path from loading
  • Avoid runtime unbind or rmmod operations on the sbs_battery driver on production systems pending patch deployment
  • Restrict physical and local access to systems with SBS batteries to reduce the likelihood of triggering driver lifecycle events
bash
# Verify whether the sbs-battery driver is loaded and identify kernel version
lsmod | grep sbs_battery
uname -r

# Optional: prevent loading the vulnerable driver until patched
echo "blacklist sbs_battery" | sudo tee /etc/modprobe.d/blacklist-sbs-battery.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Related CVEs
  • CVE-2026-46240: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-46116: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-45879: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-46056: Linux Kernel Bluetooth UAF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English