CVE-2026-46246 in Linux
Summary
by MITRE • 06/03/2026
In the Linux kernel, the following vulnerability has been resolved:
power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler
Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `extcon` handle, means that the `extcon` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `extcon` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run.
This will lead to the IRQ handler calling `extcon_set_state_sync()` with a freed `extcon` handle. Which usually crashes the system or otherwise silently corrupts the memory...
Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `extcon` handle.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability exists within the linux kernel's power supply subsystem specifically in the pm8916_lbc driver which manages battery charging for certain Qualcomm devices. The issue stems from improper resource management order during device initialization and removal sequences. When the driver attempts to register an interrupt handler and allocate an extcon (external connector) handle, the allocation sequence creates a dangerous race condition that can lead to system instability or crashes.
The technical flaw occurs due to the reverse order of resource deallocation in the device management framework. The devm_ family of functions automatically handles resource cleanup in reverse order of allocation, meaning that when both an IRQ handler and extcon handle are allocated using devm_ variants, the IRQ handler gets registered before the extcon handle. During device removal, this ordering causes the extcon handle to be deallocated before the IRQ handler's unregistration completes, creating a window where interrupts can fire against freed memory.
This vulnerability represents a classic use-after-free condition that maps directly to CWE-416 and CWE-125 in the Common Weakness Enumeration catalog. The race condition described aligns with ATT&CK technique T1059.006 for system compromise through kernel memory corruption. When an interrupt fires during this window, the IRQ handler attempts to call extcon_set_state_sync() with a pointer to deallocated memory, causing either immediate system crashes or silent memory corruption that can lead to privilege escalation or persistent system instability.
The fix implemented addresses this by reordering the resource management operations to ensure the extcon handle is registered and allocated before the IRQ handler is requested. This simple but critical change prevents the race condition by ensuring proper lifetime management of the extcon handle throughout the interrupt handler's execution lifecycle. The solution follows established kernel development practices for avoiding use-after-free conditions in device driver code and maintains compatibility with existing power management functionality while eliminating the memory safety vulnerability that could be exploited by malicious actors to gain unauthorized system access or cause denial of service conditions.