CVE-2026-31740
Description
In the Linux kernel, the following vulnerability has been resolved:
counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7.
The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value.
The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member.
The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM.
Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device.
To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's rz-mtu3-cnt counter driver causes incorrect runtime PM operations due to overwritten struct device pointer.
The vulnerability is a race condition in the Linux kernel's rz-mtu3-cnt counter driver. The driver shares the dev member of struct rz_mtu3_channel with the PWM driver for hardware channels 1 and 2. Both sub-drivers assign their own struct device * to this field, overwriting the previous value.
An attacker with local access could exploit this by manipulating the probe order of the counter and PWM sub-drivers. If the counter driver's dev member points to the PWM driver's device instance, subsequent runtime PM operations by the counter driver would target the wrong device, potentially causing system instability or denial of service.
The impact is medium severity (CVSS 5.5) as it requires local access and is primarily a denial-of-service scenario. The fix is to use the parent pointer of the counter device instead of the shared member, preventing the race. Patches are available in the stable kernel tree [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.4,<6.6.134
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0nvdPatch
- git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17ceadnvdPatch
- git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791dnvdPatch
- git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93nvdPatch
- git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1nvdPatch
News mentions
0No linked articles in our index yet.