CVE-2026-23452
Received Received - Intake
Use-After-Free Race Condition in Linux Kernel PM Runtime Device Removal

Publication date: 2026-04-03

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by inserting a flush_work() call in pm_runtime_remove(). Without this patch blktest block/001 triggers the following complaint sporadically: BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23452
EUVD
EUVD-2026-18704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to access memory that has already been freed, leading to undefined behavior such as system crashes or kernel panics.

Such use-after-free errors can destabilize the system, potentially causing denial of service or other reliability issues.

While the description does not explicitly mention exploitation for privilege escalation or code execution, memory corruption vulnerabilities in the kernel can sometimes be leveraged by attackers to compromise system security.


Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's power management runtime code related to device removal.

Specifically, the function pm_runtime_work() may dereference a device's parent pointer after the parent device has already been freed, which can lead to a use-after-free error.

This happens because the code does not properly synchronize the removal of devices, allowing the parent device to be accessed after it has been released.

The issue is fixed by inserting a flush_work() call in pm_runtime_remove() to ensure proper synchronization and prevent accessing freed memory.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a race condition in the Linux kernel's power management runtime code that may cause use-after-free errors. Detection would typically involve monitoring kernel logs for related error messages.

You can check your system logs for kernel BUG or KASAN (Kernel Address Sanitizer) reports indicating use-after-free errors related to pm_runtime_work or device removal.

  • Use the command: dmesg | grep -i 'KASAN' to look for KASAN slab-use-after-free errors.
  • Use the command: journalctl -k | grep -i 'pm_runtime_work' to find kernel messages related to the vulnerable function.
  • Monitor for BUG messages in kernel logs with: dmesg | grep -i 'BUG'

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a patch that inserts a flush_work() call in the pm_runtime_remove() function to prevent the race condition.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

If updating the kernel is not immediately possible, consider minimizing device removal operations or runtime power management activities that could trigger this race condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart