CVE-2026-31741
Description
In the Linux kernel, the following vulnerability has been resolved:
counter: rz-mtu3-cnt: prevent counter from being toggled multiple times
Runtime PM counter is incremented / decremented each time the sysfs enable file is written to.
If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message.
rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!
At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel.
If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0.
If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel.
Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's rz-mtu3-cnt counter driver, repeated writes to the sysfs enable file can cause a runtime PM usage count underflow or overflow and hardware access with clocks off.
Vulnerability
Analysis
The vulnerability resides in the rz-mtu3-cnt counter driver within the Linux kernel. The core issue is a lack of state checking when a user writes to the sysfs enable file. Each write to this file unconditionally increments or decrements the runtime PM usage count, regardless of whether the counter is already enabled or disabled. This leads to an imbalance in the usage count if the same value is written multiple times. On a write of 0 to disable an already disabled counter, the runtime PM usage count underflows, which triggers a kernel warning message: "Runtime PM usage count underflow!". Additionally, the disabled code path attempts to disable the channel again, accessing hardware registers while the clocks are off, which can cause undefined behavior or system instability. Conversely, writing 1 multiple times increments the usage count each time, requiring an equal number of 0 writes to restore it, effectively allowing a denial-of-service condition where the counter cannot be properly powered down [Description].
Attack
Vector and Preconditions
The vulnerability is triggered through local access to the sysfs interface for the rz-mtu3-cnt device. An attacker must have write permissions to the sysfs enable attribute, which typically requires root privileges or access to the device's sysfs entry. The attack is simple: repeatedly writing the same enable value (0 or 1) to the file causes the described count imbalance. No special hardware or network position is needed; it is a purely software-triggered issue through standard user-space interaction [Description].
Impact
The impact of this vulnerability is primarily a denial-of-service condition. The runtime PM framework may become locked in an inconsistent state, causing unwanted side effects. Hardware registers may be accessed without clocks, potentially leading to system hangs or unexpected behavior. Additionally, if a write of 0 occurs while a PWM is in progress, the PWM is stopped without the counter properly releasing the underlying MTU3 channel, which could leave hardware in an inconsistent state [Description].
Mitigation
The fix, as referenced in the kernel stable git commits [1][2][3][4], adds a check against a cached count_is_enabled value. If the user attempts to set the enable file to the same value as the current state, the driver now exits early without modifying the runtime PM usage count or performing hardware operations. This prevents the usage count imbalance and ensures that hardware is only performed when the state actually changes. Users should apply the patched kernel version containing the commit that corrects this behavior [Description].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.4,<6.6.134
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/67c3f99bed6f422ba343d2b70a2eeeccdfd91befnvdPatch
- git.kernel.org/stable/c/885aa739a07ab45e90dfa997205acec97979ce4envdPatch
- git.kernel.org/stable/c/ced8b48420eddb1251f93c22dc23fa136490b3cdnvdPatch
- git.kernel.org/stable/c/e07237df8538b0ae98dce112e4f6db093d767f80nvdPatch
- git.kernel.org/stable/c/f5f6f06d7e6d262026578b59ba7426eb04acce5dnvdPatch
News mentions
0No linked articles in our index yet.