CVE-2025-68354
Description
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing lock in Linux kernel's regulator subsystem allows race conditions leading to use-after-free, duplicate aliases, or inconsistent mappings.
Vulnerability
Overview
The Linux kernel's regulator subsystem maintains a regulator_supply_alias_list to map supply aliases. The functions regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias() accessed this list without any locking. This lack of synchronization allows concurrent registration, unregistration, and lookups to race [1].
Exploitation and
Attack Surface
Exploitation requires the ability to trigger concurrent operations on the alias list from multiple threads or processes. An attacker with sufficient privileges to register or unregister regulator supply aliases (e.g., via module loading or device tree overlays) could orchestrate a race condition. No authentication beyond standard kernel access is needed, but the attacker must be able to execute code in a context where regulator operations are performed [2].
Impact
A race can lead to a use-after-free if an alias entry is removed while another thread reads it, potentially allowing memory corruption and arbitrary code execution. Alternatively, the race can create duplicate alias entries, causing inconsistent supply mappings that misconfigure power management hardware, leading to system instability or denial of service [3].
Mitigation
The fix protects all traversals, insertions, and deletions on regulator_supply_alias_list with the existing regulator_list_mutex. This patch has been applied to the stable kernel tree and is part of the Linux kernel vulnerability disclosure process. Affected users should update to a kernel version containing commit a9864d42ebcd or backport the fix [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28dnvd
- git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30dnvd
- git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239nvd
- git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bfnvd
- git.kernel.org/stable/c/9d041a7ba13f21adfac052eb3fda1df62f2166c1nvd
- git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61nvd
- git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515benvd
- git.kernel.org/stable/c/e1587064137028e7edcca14fb766b68d27bec94bnvd
News mentions
0No linked articles in our index yet.