CVE-2026-46246 Overview
CVE-2026-46246 is a use-after-free vulnerability in the Linux kernel's pm8916_lbc power supply driver. The flaw exists in the driver's interrupt request and extcon handle registration sequence. Because both resources use devm_ managed allocations, they are released in reverse order during device removal. The extcon handle is freed before the IRQ handler is unregistered, creating a race window where an in-flight interrupt can call extcon_set_state_sync() on a freed extcon handle. The result is typically a kernel crash or silent memory corruption on Qualcomm PM8916-based systems.
Critical Impact
A race during driver removal can dereference a freed extcon handle inside the IRQ handler, leading to kernel crashes or memory corruption.
Affected Products
- Linux kernel builds containing the pm8916_lbc power supply driver prior to the upstream fix
- Qualcomm PM8916-based platforms relying on the linear battery charger (LBC) driver
- Stable kernel branches receiving backports identified by commits 23067259, 47abfc20, 48e0f68b, and 9fab0120
Discovery Timeline
- 2026-06-03 - CVE-2026-46246 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46246
Vulnerability Analysis
The pm8916_lbc driver registers its interrupt handler using the device-managed devm_request_irq() helper before allocating and registering the extcon handle through the equivalent devm_ API. Device-managed resources are released in reverse order of their allocation. The extcon handle is therefore torn down first when the driver is unbound, while the IRQ remains live.
If an interrupt fires during this narrow window, the IRQ handler dereferences the already-freed extcon pointer through extcon_set_state_sync(). The dereference accesses memory that the slab allocator may have reused, producing kernel oops conditions or silent memory corruption depending on allocator state.
Root Cause
The root cause is an ordering defect in resource lifetime management [CWE-416]. The driver requests its IRQ before registering the extcon resource the handler depends on. The reverse-order teardown semantics of devm_ allocations guarantee that the handler outlives the data it operates on during removal.
Attack Vector
Triggering the race requires the driver to unbind while the underlying hardware asserts an interrupt. This is generally a local condition tied to module unload, suspend/resume cycles, or device hot-removal on Qualcomm PM8916 platforms. No remote attack vector is described in the upstream report. The defect is primarily a stability and reliability issue, though memory corruption in kernel context can have broader security implications.
The upstream fix reorders initialization so that devm_request_irq() runs after the extcon handle has been registered, ensuring the handler is torn down first during removal.
Detection Methods for CVE-2026-46246
Indicators of Compromise
- Kernel oops or panic traces referencing extcon_set_state_sync originating from the pm8916_lbc IRQ handler
- Slab corruption warnings (SLUB, KASAN use-after-free) implicating extcon objects on Qualcomm PM8916 systems
- Unexplained charger or USB extcon state transitions immediately preceding crashes during module unload or shutdown
Detection Strategies
- Enable CONFIG_KASAN on test kernels to surface the use-after-free against extcon allocations
- Audit kernel build metadata to confirm whether the pm8916_lbc driver includes the upstream fix commits 23067259, 47abfc20, 48e0f68b, or 9fab0120
- Stress test driver unbind and module reload paths while the charger hardware is generating interrupts
Monitoring Recommendations
- Collect kernel crash dumps via kdump and inspect call stacks for pm8916_lbc and extcon symbols
- Forward dmesg and serial console logs from embedded fleets to a centralized log store for correlation
- Track kernel package versions across affected device inventories to confirm patch deployment
How to Mitigate CVE-2026-46246
Immediate Actions Required
- Update to a Linux kernel that includes the upstream fix from one of the referenced stable commits
- For vendor or distribution kernels, apply the backported patches identified by hashes 23067259, 47abfc20, 48e0f68b, and 9fab0120
- Avoid runtime unbind or rapid module reload of pm8916_lbc on unpatched systems until the fix is applied
Patch Information
The fix reorders devm_ allocations so that the extcon handle is registered before the IRQ is requested. This guarantees the IRQ handler is unregistered first during teardown, eliminating the race. Patch references are available in the upstream stable tree: Kernel Patch 23067259, Kernel Patch 47abfc20, Kernel Patch 48e0f68b, and Kernel Patch 9fab0120.
Workarounds
- Restrict access to driver unbind operations under /sys/bus/.../driver/unbind to root-only workflows
- Disable the pm8916_lbc driver on platforms where the charger functionality is not required
- Defer suspend/resume testing that exercises the charger interrupt path until patched kernels are deployed
# Verify whether the running kernel contains the fix commit
strings /boot/vmlinuz-$(uname -r) 2>/dev/null | grep -i pm8916_lbc
git -C /usr/src/linux log --oneline | grep -E '23067259|47abfc20|48e0f68b|9fab0120'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
