CVE-2026-23101 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

leds: led-class: Only Add LED to leds_list when it is fully ready

Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized.

This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work.

This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in:

------------[ cut here ]------------
WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998

Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/03/2026

This vulnerability exists in the Linux kernel's LED subsystem where a race condition occurs during LED initialization that can lead to system instability and potential exploitation. The flaw specifically affects the led-class implementation where LED devices are added to the global leds_list before their core initialization is complete. This creates a temporal window where subsequent LED registration operations can reference uninitialized data structures, particularly the led_classdev.set_brightness_work field that is crucial for proper LED brightness management.

The technical implementation issue stems from the order of operations in the LED registration process. When led_classdev_register() is called, it adds the LED device to the global leds_list before invoking led_init_core() which properly initializes the LED's core data structures including the workqueue used for brightness operations. This sequence allows for a scenario where a second LED registration can occur while the first LED is partially initialized, creating the conditions for a race window that leads to kernel memory corruption.

The operational impact of this vulnerability is significant as it can cause kernel panics and system crashes through the workqueue subsystem. The specific crash pattern shows a call trace leading to __flush_work in kernel/workqueue.c, indicating that uninitialized work structures are being processed. This vulnerability is particularly dangerous because it can be triggered by legitimate hardware drivers such as the lenovo-thinkpad-t14s EC driver which registers multiple LEDs with default triggers in rapid succession, making it difficult to detect and prevent through normal system monitoring.

The race condition manifests when the lenovo-thinkpad-t14s driver registers two LEDs with default triggers provided by the snd_ctl_led.ko module in quick succession. The first LED registration triggers an asynchronous modprobe operation for snd_ctl_led, which manages to complete exactly during the window where the second LED has already been added to the leds_list but not yet initialized by led_init_core(). This timing issue creates a perfect storm where led_trigger_register() attempts to set the brightness of the second LED before its workqueue has been properly initialized, causing the kernel to attempt to queue an uninitialized work structure.

This vulnerability directly relates to CWE-362, which describes a race condition where concurrent processes or threads can access shared resources without proper synchronization, and also aligns with ATT&CK technique T1068, which covers privilege escalation through exploitation of system vulnerabilities. The flaw represents a classic concurrency issue in kernel space where proper ordering of initialization operations is critical for system stability and security. The fix implemented by moving the LED addition to leds_list after led_init_core() call ensures proper initialization ordering and eliminates the race window that leads to kernel memory corruption. This remediation addresses the fundamental issue of temporal coupling in kernel data structure initialization and prevents malicious actors from exploiting similar timing-based vulnerabilities in the LED subsystem.

The broader implications of this vulnerability extend beyond simple system crashes to potential privilege escalation scenarios, as kernel memory corruption can be leveraged to execute arbitrary code with kernel privileges. This makes the vulnerability particularly concerning for embedded systems and devices where kernel-level access can provide complete system compromise. The vulnerability demonstrates the importance of proper initialization ordering in kernel subsystems and highlights how seemingly minor ordering issues can lead to catastrophic system failures. System administrators should ensure that all Linux kernel updates are applied promptly to address this vulnerability, as it can be exploited by attackers with minimal privileges to cause denial of service or potentially achieve more serious security compromises.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00120

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!