CVE-2026-23452
Description
In the Linux kernel, the following vulnerability has been resolved:
PM: runtime: Fix a race condition related to device removal
The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed:
/* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock);
spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock);
spin_lock(&dev->power.lock); }
Fix this by inserting a flush_work() call in pm_runtime_remove().
Without this patch blktest block/001 triggers the following complaint sporadically:
BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace:
dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20
Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel PM runtime can cause a use-after-free when pm_runtime_work() accesses a freed parent device, fixed by adding flush_work() in pm_runtime_remove().
Vulnerability
Overview
The Linux kernel's Power Management (PM) runtime subsystem contains a race condition in the pm_runtime_work() function. When a device is removed, the workqueue handler may dereference the dev->parent pointer after the parent device has already been freed. This occurs because the code in pm_runtime_work() attempts to check parent->power.ignore_children and call rpm_idle(parent, ...) without synchronizing with device removal, leading to a use-after-free [1].
Root
Cause and Exploitation
The root cause is a lack of proper synchronization between device removal and the runtime PM workqueue. Specifically, pm_runtime_remove() did not flush pending work items before freeing the parent device. When a parent device is removed (e.g., during SCSI target allocation failure as shown in the kernel bug report), a work item already queued on the parent's workqueue can still be processed later, attempting to lock and access the now-freed parent structure. This race is triggered by operations such as scanning SCSI hosts and then removing devices, as demonstrated by the blktest block/001 test case [1].
Impact
An attacker with the ability to trigger device removal and runtime PM transitions could exploit this race to corrupt kernel memory. The bug report shows a KASAN slab-use-after-free on a lock_acquire call, indicating that an attacker may achieve arbitrary read or write by manipulating the freed memory. In a worst-case scenario, this could lead to privilege escalation or denial of service. The vulnerability affects systems using the Linux kernel with runtime PM enabled, particularly those with hot-pluggable devices like SCSI buses.
Mitigation
Linus Torvalds has merged the fix into the mainline kernel, which inserts a flush_work() call in pm_runtime_remove() to ensure all pending PM work for the device is completed before the parent device is freed [1]. Users should apply the stable kernel updates once available (e.g., commits referenced in the advisory). No workaround is currently known, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication date.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/20f6e2e22a9c6234113812d5f300d3e952a82721nvd
- git.kernel.org/stable/c/29ab768277617452d88c0607c9299cdc63b6e9ffnvd
- git.kernel.org/stable/c/39f2d86f2ddde8d1beda05732f30c7cd945e0b5anvd
- git.kernel.org/stable/c/5649b46af8b167259e8a8e4e7eb3667ce74554b5nvd
- git.kernel.org/stable/c/b6dd1a562ca8ba96c8ecb247c62b73f9fa02d47envd
- git.kernel.org/stable/c/bb081fd37f8312651140d7429557258afe51693dnvd
- git.kernel.org/stable/c/c6febaacfb8a0aec7d771a0e6c21cd68102d5679nvd
- git.kernel.org/stable/c/cf65a77c0f9531eb6cfb97cc040974d2d8fff043nvd
News mentions
0No linked articles in our index yet.