CVE-2026-45936 Overview
CVE-2026-45936 is a use-after-free vulnerability in the Linux kernel's goldfish power supply driver. The flaw resides in the driver's probe and removal sequence, where the interrupt request and power_supply handle registration occur in the wrong order. Because devm_ managed resources deallocate in reverse allocation order, the power_supply handle can be freed before the IRQ handler is unregistered. An interrupt firing during this window causes power_supply_changed() to operate on a freed handle.
Critical Impact
Triggering the race during device removal or probe can crash the kernel or silently corrupt memory through use-after-free in power_supply_changed().
Affected Products
- Linux kernel goldfish power supply driver (drivers/power/supply/goldfish_battery.c)
- Stable kernel branches receiving the backported fixes referenced in the advisory
- Android emulator and virtualized environments that rely on the goldfish virtual battery device
Discovery Timeline
- 2026-05-27 - CVE-2026-45936 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45936
Vulnerability Analysis
The goldfish battery driver uses Linux device-managed (devm_) allocation helpers for both IRQ registration and power_supply registration. Device-managed resources are released in reverse allocation order during driver teardown. When the driver requests the IRQ before registering the power_supply handle, the power_supply handle is freed first on removal, while the IRQ handler remains live. An incoming interrupt then calls power_supply_changed() with a dangling pointer, producing a classic use-after-free condition.
A second variant of the same defect occurs at probe() time. If the interrupt line fires between IRQ registration and power_supply registration, the handler dereferences an uninitialized power_supply structure. Both paths produce undefined behavior ranging from kernel oops to silent memory corruption.
Root Cause
The root cause is ordering of device-managed resource lifetimes. The driver requested the IRQ via the devm_ API before allocating and registering the power_supply instance, inverting the dependency between the resources. This is a logic flaw in driver initialization rather than a missing bounds check.
Attack Vector
Exploitation requires the ability to trigger driver unbind, module removal, or device probe while the interrupt source can be raised. In virtualized contexts running the goldfish emulator, a guest or controlling component capable of asserting the battery IRQ during teardown can drive the race. Local privileged actions that bind and unbind the driver, combined with interrupt activity, are sufficient to reach the freed handle.
No verified exploit code is available. The vulnerability is described in prose in the upstream commit messages referenced below. See the Kernel Patch 0b29ffe and Kernel Patch bad8b61 for the corrected initialization sequence.
Detection Methods for CVE-2026-45936
Indicators of Compromise
- Kernel oops or panic stack traces referencing power_supply_changed and goldfish_battery during module unload or device unbind
- KASAN reports flagging use-after-free in power_supply_changed() originating from the goldfish IRQ handler
- Unexpected memory corruption symptoms in virtualized Android or emulator hosts that exercise the goldfish battery device
Detection Strategies
- Enable CONFIG_KASAN on test kernels to catch use-after-free accesses in the goldfish driver path
- Audit running kernel versions against the patched stable commits listed in the references to confirm whether the fix is applied
- Correlate dmesg output across fleet hosts for crash signatures involving power_supply_changed after driver unbind events
Monitoring Recommendations
- Forward kernel logs and crash dumps to a centralized analytics platform and alert on use-after-free signatures touching power supply subsystems
- Track driver bind, unbind, and module load events on hosts running emulator or goldfish workloads
- Monitor for unexpected reboots or kernel panics on virtualization hosts that may indicate exploitation attempts of the race condition
How to Mitigate CVE-2026-45936
Immediate Actions Required
- Apply the upstream stable kernel patches that reorder IRQ registration to occur after power_supply registration
- Inventory hosts using the goldfish battery driver, particularly Android emulator infrastructure and CI runners
- Restrict driver bind and unbind operations to trusted administrative contexts until patched kernels are deployed
Patch Information
The fix moves the devm_request_irq() call to occur after devm_power_supply_register(), ensuring the IRQ handler is torn down before the power_supply handle is released. Patched commits across stable branches include Kernel Patch 0b29ffe, Kernel Patch 33751e2, Kernel Patch 4350505, Kernel Patch 589d4fe, Kernel Patch 77ea437, Kernel Patch 8c89aad, Kernel Patch b2ce982, and Kernel Patch bad8b61.
Workarounds
- Unload or blacklist the goldfish_battery module on systems that do not require the virtual battery device
- Avoid driver unbind operations and module removal on production hosts until the patched kernel is installed
- Limit guest or workload ability to assert the goldfish battery interrupt while teardown is in progress
# Blacklist the goldfish battery module until a patched kernel is deployed
echo 'blacklist goldfish_battery' | sudo tee /etc/modprobe.d/blacklist-goldfish.conf
sudo update-initramfs -u
# Verify the module is not loaded
lsmod | grep goldfish_battery
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
