CVE-2026-23186
Unknown Unknown - Not Provided
Deadlock Vulnerability in Linux Kernel acpi_power_meter Driver

Publication date: 2026-02-14

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify() The acpi_power_meter driver's .notify() callback function, acpi_power_meter_notify(), calls hwmon_device_unregister() under a lock that is also acquired by callbacks in sysfs attributes of the device being unregistered which is prone to deadlocks between sysfs access and device removal. Address this by moving the hwmon device removal in acpi_power_meter_notify() outside the lock in question, but notice that doing it alone is not sufficient because two concurrent METER_NOTIFY_CONFIG notifications may be attempting to remove the same device at the same time. To prevent that from happening, add a new lock serializing the execution of the switch () statement in acpi_power_meter_notify(). For simplicity, it is a static mutex which should not be a problem from the performance perspective. The new lock also allows the hwmon_device_register_with_info() in acpi_power_meter_notify() to be called outside the inner lock because it prevents the other notifications handled by that function from manipulating the "resource" object while the hwmon device based on it is being registered. The sending of ACPI netlink messages from acpi_power_meter_notify() is serialized by the new lock too which generally helps to ensure that the order of handling firmware notifications is the same as the order of sending netlink messages related to them. In addition, notice that hwmon_device_register_with_info() may fail in which case resource->hwmon_dev will become an error pointer, so add checks to avoid attempting to unregister the hwmon device pointer to by it in that case to acpi_power_meter_notify() and acpi_power_meter_remove().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23186
EUVD
EUVD-2026-5856
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.15 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's acpi_power_meter driver, specifically in its .notify() callback function called acpi_power_meter_notify(). The function calls hwmon_device_unregister() while holding a lock that is also acquired by other callbacks related to sysfs attributes of the device being unregistered. This situation can cause deadlocks between sysfs access and device removal.

The fix involves moving the device removal call outside the problematic lock and adding a new static mutex lock to serialize execution within the notify function. This prevents concurrent attempts to remove the same device simultaneously and ensures proper ordering of firmware notifications and netlink messages. Additional checks were added to handle failure cases when registering the hwmon device.


How can this vulnerability impact me? :

This vulnerability can lead to deadlocks in the Linux kernel when the acpi_power_meter driver is handling device notifications and sysfs attribute accesses concurrently. Such deadlocks can cause system hangs or unresponsiveness, potentially impacting system stability and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

This vulnerability is related to deadlocks in the acpi_power_meter driver in the Linux kernel. To mitigate it, you should update your Linux kernel to a version where this issue has been fixed.

The fix involves changes to the acpi_power_meter_notify() function to avoid deadlocks by moving device removal outside of a lock and adding a new static mutex to serialize notifications.

Therefore, applying the latest kernel patches or upgrading to a kernel version that includes this fix is the immediate step to prevent the deadlocks caused by this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart