CVE-2026-45938 Overview
CVE-2026-45938 is a use-after-free vulnerability in the Linux kernel's pm8916_lbc power supply driver. The flaw resides in the driver's probe and removal logic, where the interrupt request (devm_request_irq) is registered before the power_supply handle is allocated and registered. Because devm_ resources are released in reverse allocation order, the power_supply handle is freed before the IRQ handler is unregistered. An interrupt firing during this window invokes power_supply_changed() against a freed handle, leading to system crashes or silent memory corruption. A similar race exists during probe() when an IRQ fires before the handle is initialized.
Critical Impact
A race condition between IRQ handling and device removal allows the kernel to dereference a freed power_supply structure, resulting in kernel memory corruption or denial of service on affected Qualcomm PM8916 platforms.
Affected Products
- Linux kernel builds including the pm8916_lbc power supply driver
- Qualcomm PM8916 PMIC-based platforms using the linear battery charger driver
- Stable kernel branches prior to the commits referenced in the upstream fix
Discovery Timeline
- 2026-05-27 - CVE-2026-45938 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45938
Vulnerability Analysis
The pm8916_lbc driver manages the linear battery charger inside the Qualcomm PM8916 power management IC. During device initialization, the driver uses managed resource APIs (devm_*) to request its interrupt line and to register the power_supply class device with the kernel. The Linux device model releases devm_ resources in reverse order of allocation, so resources allocated last are freed first. When the IRQ is requested before the power_supply handle is allocated, removal frees the power_supply handle while the IRQ handler is still active.
If the charger interrupt asserts after power_supply is freed but before devm_free_irq runs, the handler calls power_supply_changed() on dangling memory. This is a textbook use-after-free [CWE-416] in kernel context, which can corrupt the slab allocator or trigger an oops.
Root Cause
The root cause is an ordering bug in the driver's probe sequence. The lifetime of the IRQ handler must be a strict subset of the lifetime of the data it touches. Because devm_request_irq() was called before devm_power_supply_register(), the cleanup order violates this invariant. The same ordering also creates a probe-time window where the IRQ may fire before the power_supply handle is fully initialized, causing the handler to operate on uninitialized memory.
Attack Vector
Exploitation requires the affected pm8916_lbc driver to be present and the device to undergo unbind, module unload, or hot-removal while charger interrupts are active. The race is triggered by hardware-generated interrupts from the PMIC during the narrow window between resource teardown stages. It is not a network-reachable flaw. Impact is limited to local denial of service or kernel memory corruption on devices that ship this driver, such as Qualcomm Snapdragon 410-class platforms.
The fix moves devm_request_irq() to occur after devm_power_supply_register(), ensuring the IRQ is freed before the power_supply handle. See the upstream patches: Kernel Git Commit 08e674e, Kernel Git Commit b750812, Kernel Git Commit d7d31fc, and Kernel Git Commit dbe579e.
Detection Methods for CVE-2026-45938
Indicators of Compromise
- Kernel oops or panic traces referencing power_supply_changed with pm8916_lbc frames on the call stack
- KASAN reports flagging a use-after-free read or write in power_supply_changed() triggered from an IRQ context
- Unexpected reboots or charger-subsystem instability correlated with driver unbind, module unload, or device removal events
Detection Strategies
- Enable CONFIG_KASAN on test kernels to surface use-after-free accesses in the power supply subsystem during stress unbind cycles
- Audit dmesg for repeated BUG: KASAN: use-after-free entries originating in drivers/power/supply/pm8916_lbc.c
- Compare the running kernel against the fixed commits to confirm the driver's probe ordering matches the upstream patch
Monitoring Recommendations
- Collect kernel crash dumps from fleet devices and triage stack traces involving power_supply_changed
- Monitor module load and unload events for pm8916_lbc and correlate with subsequent kernel warnings
- Track stable kernel version inventory to identify hosts still running pre-patch builds
How to Mitigate CVE-2026-45938
Immediate Actions Required
- Apply the upstream stable kernel updates that contain the reordered devm_request_irq() call in pm8916_lbc
- Rebuild and deploy vendor kernels for Qualcomm PM8916-based devices once the patch is integrated
- Avoid runtime unbinding or hot-removal of the pm8916_lbc driver on unpatched systems
Patch Information
The vulnerability is resolved in the Linux kernel by relocating the IRQ request to occur after the power_supply handle is registered. Fixes are available in the following commits: Kernel Git Commit 08e674e, Kernel Git Commit b750812, Kernel Git Commit d7d31fc, and Kernel Git Commit dbe579e. Downstream distributions should pull the corresponding stable backports into their kernel package builds.
Workarounds
- Restrict access to operations that unbind or unload the pm8916_lbc driver on production devices
- Disable runtime power management transitions that exercise driver teardown paths until patched kernels are deployed
- Where feasible, blacklist the pm8916_lbc module on devices that do not require charger functionality until the fix is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
