CVE-2026-45914 (GCVE-0-2026-45914)
Vulnerability from cvelistv5
Published
2026-05-27 12:17
Modified
2026-05-27 12:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "hwmon: (ibmpex) fix use-after-free in high/low store"
This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d.
Jean Delvare points out that the patch does not completely
fix the reported problem, that it in fact introduces a
(new) race condition, and that it may actually not be needed in
the first place.
Various AI reviews agree. Specific and relevant AI feedback:
"
This reordering sets the driver data to NULL before removing the sensor
attributes in the loop below.
ibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but
does not check if it is NULL before dereferencing it to access
data->sensors[].
If a userspace process reads a sensor file (like temp1_input) while this
delete function is running, could it race with the dev_set_drvdata(...,
NULL) call here and crash in ibmpex_show_sensor()?
Would it be safer to keep the original order where device_remove_file() is
called before clearing the driver data? device_remove_file() should wait
for any active sysfs callbacks to complete, which might already prevent the
use-after-free this patch intends to fix.
"
Revert the offending patch. If it can be shown that the originally reported
alleged race condition does indeed exist, it can always be re-introduced
with a complete fix.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3ce9b7ae9d4d148672b35147aaf7987a4f82bb94 Version: 533ead425f8109b02fecc7e72d612b8898ec347a Version: fa37adcf1d564ef58b9dfb01b6c36d35c5294bad Version: 68d62e5bebbd118b763e8bb210d5cf2198ef450c Version: 5aa2139201667c1f644601e4529c4acd6bf8db5a Version: 6946c726c3f4c36f0f049e6f97e88c510b15f65d Version: 6946c726c3f4c36f0f049e6f97e88c510b15f65d Version: 5.10.248 ≤ Version: 6.1.160 ≤ Version: 6.6.120 ≤ Version: 6.12.64 ≤ Version: 6.18.3 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/ibmpex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05112ba67c824ab416cd54307c0b50aba9f0047a",
"status": "affected",
"version": "3ce9b7ae9d4d148672b35147aaf7987a4f82bb94",
"versionType": "git"
},
{
"lessThan": "efd68429f23fb4015b0ebc2392334059e06fad18",
"status": "affected",
"version": "533ead425f8109b02fecc7e72d612b8898ec347a",
"versionType": "git"
},
{
"lessThan": "f448acd86835a650f9ea83460b9ca347d3aafba5",
"status": "affected",
"version": "fa37adcf1d564ef58b9dfb01b6c36d35c5294bad",
"versionType": "git"
},
{
"lessThan": "914b47c9b824d3d74f31c764163edf93302100b1",
"status": "affected",
"version": "68d62e5bebbd118b763e8bb210d5cf2198ef450c",
"versionType": "git"
},
{
"lessThan": "14a38784e09aebc21207dc32fffa05247fc3dd64",
"status": "affected",
"version": "5aa2139201667c1f644601e4529c4acd6bf8db5a",
"versionType": "git"
},
{
"lessThan": "894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d",
"status": "affected",
"version": "6946c726c3f4c36f0f049e6f97e88c510b15f65d",
"versionType": "git"
},
{
"lessThan": "8bde3e395a85017f12af2b0ba5c3684f5af9c006",
"status": "affected",
"version": "6946c726c3f4c36f0f049e6f97e88c510b15f65d",
"versionType": "git"
},
{
"lessThan": "5.10.252",
"status": "affected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThan": "6.18.14",
"status": "affected",
"version": "6.18.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/ibmpex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "5.10.248",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.18.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"hwmon: (ibmpex) fix use-after-free in high/low store\"\n\nThis reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d.\n\nJean Delvare points out that the patch does not completely\nfix the reported problem, that it in fact introduces a\n(new) race condition, and that it may actually not be needed in\nthe first place.\n\nVarious AI reviews agree. Specific and relevant AI feedback:\n\n\"\nThis reordering sets the driver data to NULL before removing the sensor\nattributes in the loop below.\n\nibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but\ndoes not check if it is NULL before dereferencing it to access\ndata-\u003esensors[].\n\nIf a userspace process reads a sensor file (like temp1_input) while this\ndelete function is running, could it race with the dev_set_drvdata(...,\nNULL) call here and crash in ibmpex_show_sensor()?\n\nWould it be safer to keep the original order where device_remove_file() is\ncalled before clearing the driver data? device_remove_file() should wait\nfor any active sysfs callbacks to complete, which might already prevent the\nuse-after-free this patch intends to fix.\n\"\n\nRevert the offending patch. If it can be shown that the originally reported\nalleged race condition does indeed exist, it can always be re-introduced\nwith a complete fix."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:17:29.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05112ba67c824ab416cd54307c0b50aba9f0047a"
},
{
"url": "https://git.kernel.org/stable/c/efd68429f23fb4015b0ebc2392334059e06fad18"
},
{
"url": "https://git.kernel.org/stable/c/f448acd86835a650f9ea83460b9ca347d3aafba5"
},
{
"url": "https://git.kernel.org/stable/c/914b47c9b824d3d74f31c764163edf93302100b1"
},
{
"url": "https://git.kernel.org/stable/c/14a38784e09aebc21207dc32fffa05247fc3dd64"
},
{
"url": "https://git.kernel.org/stable/c/894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d"
},
{
"url": "https://git.kernel.org/stable/c/8bde3e395a85017f12af2b0ba5c3684f5af9c006"
}
],
"title": "Revert \"hwmon: (ibmpex) fix use-after-free in high/low store\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-45914",
"datePublished": "2026-05-27T12:17:29.426Z",
"dateReserved": "2026-05-13T15:03:33.085Z",
"dateUpdated": "2026-05-27T12:17:29.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…