CVE-2026-46270 Overview
CVE-2026-46270 is a use-after-free vulnerability in the Linux kernel's rt9455 power supply driver. The flaw stems from incorrect ordering of device-managed (devm_) resource allocation in the driver's probe routine. The IRQ is requested before the power_supply handle is registered, causing the power_supply handle to be deallocated before the interrupt handler during device removal. An interrupt firing in this race window invokes power_supply_changed() against a freed handle, leading to kernel memory corruption or a system crash.
Critical Impact
A race condition between IRQ deregistration and power_supply handle teardown can trigger a use-after-free, resulting in kernel crashes or silent memory corruption on systems using the rt9455 battery charger driver.
Affected Products
- Linux kernel versions containing the drivers/power/supply/rt9455.c driver prior to the fix
- Stable kernel branches referenced by the eight upstream commits listed below
- Embedded and mobile platforms using the Richtek RT9455 battery charger IC
Discovery Timeline
- 2026-06-03 - CVE-2026-46270 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46270
Vulnerability Analysis
The rt9455 driver uses Linux's device-managed resource framework, where devm_ allocations are automatically released in reverse order during driver detach. The driver registers its interrupt handler with devm_request_threaded_irq() before registering the power_supply handle with devm_power_supply_register(). Because deallocation is LIFO, the power_supply handle is freed before the IRQ handler is unregistered.
During this short window in the removal path, a hardware interrupt can still fire and invoke the registered handler. The handler calls power_supply_changed() against the already-freed power_supply structure, producing a classic use-after-free [CWE-416]. A symmetric problem exists during probe: an early interrupt can fire before power_supply registration completes, causing the handler to operate on an uninitialized handle.
Root Cause
The root cause is incorrect ordering of device-managed resource registrations. The driver requests the IRQ before allocating and registering the dependent power_supply object. This violates the invariant that an interrupt handler must outlive the data structures it dereferences.
Attack Vector
Triggering the condition requires the rt9455 hardware to assert an interrupt during driver probe or removal. Exploitation is local and depends on physical or driver-binding access to the device. The primary impact is kernel instability and potential memory corruption rather than remote compromise. See the upstream fixes such as commit 64e15155095f and commit 721449a15170 for the corrected ordering.
Detection Methods for CVE-2026-46270
Indicators of Compromise
- Kernel oops or panic traces referencing power_supply_changed or rt9455 in the call stack
- KASAN reports flagging use-after-free in the power supply subsystem on affected kernels
- Unexpected system reboots or memory corruption symptoms on devices using the RT9455 charger IC
Detection Strategies
- Inventory running kernel versions across Linux endpoints and compare against the fixed commits in the kernel.org stable tree
- Enable KASAN on test builds to surface latent use-after-free conditions in the power supply driver path
- Review dmesg and persistent kernel logs for crashes correlated with charger hotplug or driver unbind events
Monitoring Recommendations
- Collect kernel crash dumps centrally and search for rt9455 or power_supply_changed frames
- Track CONFIG_CHARGER_RT9455 build status on managed device images to identify exposed fleets
- Alert on repeated unexplained reboots on embedded Linux devices that integrate Richtek charger ICs
How to Mitigate CVE-2026-46270
Immediate Actions Required
- Apply the upstream Linux stable kernel updates that reorder IRQ registration after power_supply registration in the rt9455 driver
- Rebuild and redeploy custom kernels that include drivers/power/supply/rt9455.c with the fix backported
- Validate that vendor-supplied kernels for affected embedded platforms include the patch before shipping firmware updates
Patch Information
The fix is available across multiple stable branches via the following commits: 2178dc65d45e, 62d753b916bd, 64e15155095f, 721449a15170, a39f8f06216f, af261f218a76, d4e2e3c3caa2, and e2febe375e5e. The fix requests the IRQ only after the power_supply handle is registered, ensuring the handler never accesses a freed or uninitialized structure.
Workarounds
- Disable the CONFIG_CHARGER_RT9455 kernel option on systems that do not require the driver
- Avoid runtime unbinding or module unloading of rt9455 on production devices until the patch is applied
- Restrict physical access to devices integrating the RT9455 charger to reduce opportunities for triggering driver probe and removal cycles
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
