Unrated severityNVD Advisory· Published Jun 3, 2026
CVE-2026-46270
CVE-2026-46270
Description
Linux kernel use-after-free vulnerability in rt9455 driver can lead to system crashes or memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel use-after-free vulnerability in rt9455 driver can lead to system crashes or memory corruption.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's rt9455 power supply driver. This occurs due to an incorrect ordering of resource management during device probe and removal. Specifically, the IRQ is requested before the power_supply handle is allocated and registered, leading to a race condition where an interrupt can fire after the handle is freed but before the IRQ handler is unregistered. This affects versions of the kernel where this specific ordering is present.
Exploitation
An attacker could exploit this vulnerability by triggering a device removal or probe operation. During the removal process, if an interrupt fires after the power_supply handle is freed but before the IRQ handler is unregistered, the vulnerability is triggered. Similarly, during probe, an interrupt firing before the power_supply handle is registered can lead to the handle being used uninitialized. Network access or local access is not explicitly required, but the conditions for the race window must be met.
Impact
Successful exploitation of this use-after-free vulnerability can lead to a system crash or silent memory corruption. This is because the interrupt handler attempts to call power_supply_changed() using a freed or uninitialized power_supply handle, compromising the integrity and availability of the system.
Mitigation
The vulnerability has been fixed by ensuring the IRQ is requested after the registration of the power_supply handle. The specific fixed version and release date are not detailed in the available references, but the fix is available in the Linux kernel source code [1]. There are no other workarounds or mitigation steps disclosed in the provided references.
References
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
16e2febe375e5epower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 7.0via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
d4e2e3c3caa2power: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 5.10.252via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index a84afccd509f1..89b414fac6c3a 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1665,6 +1665,15 @@ static int rt9455_probe(struct i2c_client *client, rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1680,14 +1689,6 @@ static int rt9455_probe(struct i2c_client *client, goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
62d753b916bdpower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 5.15.202via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index a84afccd509f1..89b414fac6c3a 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1665,6 +1665,15 @@ static int rt9455_probe(struct i2c_client *client, rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1680,14 +1689,6 @@ static int rt9455_probe(struct i2c_client *client, goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
a39f8f06216fpower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 6.1.165via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index c5597967a0699..566243a423c8f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1665,6 +1665,15 @@ static int rt9455_probe(struct i2c_client *client, rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1680,14 +1689,6 @@ static int rt9455_probe(struct i2c_client *client, goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
af261f218a76power: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 6.6.128via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index e4dbacd50a437..248dc2b5e1f7c 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
2178dc65d45epower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 6.12.75via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 64a23e3d7bb00..803f4d258da9e 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
64e15155095fpower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 6.18.14via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
721449a15170power: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitWaqar HameedDec 20, 2025Fixed in 6.19.4via kernel-cna
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
a39f8f06216fpower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index c5597967a0699..566243a423c8f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1665,6 +1665,15 @@ static int rt9455_probe(struct i2c_client *client, rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1680,14 +1689,6 @@ static int rt9455_probe(struct i2c_client *client, goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
2178dc65d45epower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 64a23e3d7bb00..803f4d258da9e 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
62d753b916bdpower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index a84afccd509f1..89b414fac6c3a 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1665,6 +1665,15 @@ static int rt9455_probe(struct i2c_client *client, rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1680,14 +1689,6 @@ static int rt9455_probe(struct i2c_client *client, goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
64e15155095fpower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
721449a15170power: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
af261f218a76power: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index e4dbacd50a437..248dc2b5e1f7c 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
d4e2e3c3caa2power: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index a84afccd509f1..89b414fac6c3a 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1665,6 +1665,15 @@ static int rt9455_probe(struct i2c_client *client, rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1680,14 +1689,6 @@ static int rt9455_probe(struct i2c_client *client, goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
e2febe375e5epower: supply: rt9455: Fix use-after-free in power_supply_changed()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitWaqar HameedDec 20, 2025via nvd-ref
1 file changed · +9 −9
drivers/power/supply/rt9455_charger.c+9 −9 modifieddiff --git a/drivers/power/supply/rt9455_charger.c b/drivers/power/supply/rt9455_charger.c index 1ffe7f02932f6..5130d2395e88f 100644 --- a/drivers/power/supply/rt9455_charger.c +++ b/drivers/power/supply/rt9455_charger.c @@ -1663,6 +1663,15 @@ static int rt9455_probe(struct i2c_client *client) rt9455_charger_config.supplied_to = rt9455_charger_supplied_to; rt9455_charger_config.num_supplicants = ARRAY_SIZE(rt9455_charger_supplied_to); + + info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, + &rt9455_charger_config); + if (IS_ERR(info->charger)) { + dev_err(dev, "Failed to register charger\n"); + ret = PTR_ERR(info->charger); + goto put_usb_notifier; + } + ret = devm_request_threaded_irq(dev, client->irq, NULL, rt9455_irq_handler_thread, IRQF_TRIGGER_LOW | IRQF_ONESHOT, @@ -1678,14 +1687,6 @@ static int rt9455_probe(struct i2c_client *client) goto put_usb_notifier; } - info->charger = devm_power_supply_register(dev, &rt9455_charger_desc, - &rt9455_charger_config); - if (IS_ERR(info->charger)) { - dev_err(dev, "Failed to register charger\n"); - ret = PTR_ERR(info->charger); - goto put_usb_notifier; - } - return 0; put_usb_notifier: -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"A race condition exists between interrupt handling and resource deallocation during device removal or probe."
Attack vector
An attacker could trigger a race condition during device removal or probe. This occurs when an interrupt fires after the power supply handle has been freed but before the IRQ handler is unregistered, or when an interrupt fires before the power supply handle is registered. This leads to the interrupt handler calling `power_supply_changed()` with either a freed or uninitialized `power_supply` handle. The vulnerability is present in the `rt9455_probe()` function within the Linux kernel's power supply driver.
Affected code
The vulnerability resides in the `rt9455_probe()` function within the `drivers/power/supply/rt9455_charger.c` file. The issue stems from the order in which the interrupt is requested (`devm_request_threaded_irq`) relative to the registration of the power supply handle (`devm_power_supply_register`).
What the fix does
The patch corrects the order of operations within the `rt9455_probe()` function. Specifically, it ensures that the `devm_power_supply_register()` call occurs before `devm_request_threaded_irq()`. This guarantees that the power supply handle is allocated and registered before the interrupt is requested, preventing the interrupt handler from accessing a freed or uninitialized handle during probe or removal, thus resolving the use-after-free vulnerability [patch_id=4686535].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/2178dc65d45e2f7bcaa8af8d80d100419bdab251nvd
- git.kernel.org/stable/c/62d753b916bd500bb269b7078cdab73198ab4718nvd
- git.kernel.org/stable/c/64e15155095f39f4dec9b4659da1238ef8fc54d4nvd
- git.kernel.org/stable/c/721449a15170fc5f028a7576d7f65b9f60d53482nvd
- git.kernel.org/stable/c/a39f8f06216f73ef40e71e2fe4ad071964c1fd36nvd
- git.kernel.org/stable/c/af261f218a7606f93d2c786353d60bb4feb56ef0nvd
- git.kernel.org/stable/c/d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfcnvd
- git.kernel.org/stable/c/e2febe375e5ea5afed92f4cd9711bde8f24ee6d2nvd
News mentions
2- Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two BatchesVypr Intelligence · Jun 3, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026