CVE-2023-54079
Description
In the Linux kernel, the following vulnerability has been resolved:
power: supply: bq27xxx: Fix poll_interval handling and races on remove
Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 to avoid bq27xxx_battery_update() requeuing the delayed_work item.
There are 2 problems with this:
1. If the driver is unbound through sysfs, rather then the module being rmmod-ed, this changes poll_interval unexpectedly
2. This is racy, after it being set poll_interval could be changed before bq27xxx_battery_update() checks it through /sys/module/bq27xxx_battery/parameters/poll_interval
Fix this by added a removed attribute to struct bq27xxx_device_info and using that instead of setting poll_interval to 0.
There also is another poll_interval related race on remove(), writing /sys/module/bq27xxx_battery/parameters/poll_interval will requeue the delayed_work item for all devices on the bq27xxx_battery_devices list and the device being removed was only removed from that list after cancelling the delayed_work item.
Fix this by moving the removal from the bq27xxx_battery_devices list to before cancelling the delayed_work item.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's bq27xxx battery driver could cause use-after-free or unexpected behavior when the device is removed.
Vulnerability
In the Linux kernel's bq27xxx battery driver, the bq27xxx_battery_teardown() function set poll_interval = 0 to prevent the delayed work item from being requeued. This approach had two flaws: it could unexpectedly change the module parameter poll_interval when the driver was unbound via sysfs, and it was racy because poll_interval could be modified concurrently through /sys/module/bq27xxx_battery/parameters/poll_interval before the work function checks it [1].
Exploitation
An attacker with local access could exploit this race condition by triggering a device removal (e.g., via sysfs unbind) while simultaneously writing to the poll_interval sysfs parameter. This could cause the delayed work item to be requeued after the device has been torn down, leading to a use-after-free condition [1].
Impact
Successful exploitation could result in a kernel crash (denial of service) or potentially arbitrary code execution, depending on the memory state. The vulnerability affects systems using the bq27xxx battery driver, which is common in many Linux-based devices Linux-based devices.
Mitigation
The fix introduces a removed flag in struct bq27xxx_device_info and moves the device removal from the bq27xxx_battery_devices list to before cancelling the delayed work item, eliminating the race condition [1]. Patches are available in the stable kernel tree; users should update to the latest kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
84c9615474fb0465d919151a10c5f4cec7596e85757da9091e98e5bebfcafd952a1eaafccb12faeca0e81c00bc80462afVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0c5f4cec759679c290720fbcf6bb81768e21c95bnvd
- git.kernel.org/stable/c/465d919151a1e8d40daf366b868914f59d073211nvd
- git.kernel.org/stable/c/4c9615474fb0a41cfad658d78db3c9ec70912969nvd
- git.kernel.org/stable/c/b12faeca0e819ea09051a705fef9df7ea7e9e18cnvd
- git.kernel.org/stable/c/c00bc80462afc7963f449d7f21d896d2f629caccnvd
- git.kernel.org/stable/c/d952a1eaafcc5f0351caad5dbe9b5b3300d1d529nvd
- git.kernel.org/stable/c/e85757da9091998276ff21a13915ac25229cc232nvd
- git.kernel.org/stable/c/e98e5bebfcafc75a7b41192a607dfea5c1268afanvd
News mentions
0No linked articles in our index yet.