CVE-2026-31426
Use-After-Free in Linux Kernel ACPI Embedded Controller Causes Potential Privilege Escalation
Publication date: 2026-04-13
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ACPI EC (Embedded Controller) driver. When the function ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started the EC and installed an address space handler using a pointer to a struct acpi_ec as the handler context. However, if acpi_ec_setup() encounters an error, it propagates this error without cleaning up the installed handler.
As a result, the caller function acpi_ec_add() frees the struct acpi_ec for non-boot instances, leaving a dangling pointer in the ACPICA handler context. Any subsequent AML (ACPI Machine Language) evaluation that accesses an EC OpRegion field (such as battery, thermal, or backlight) will use this freed pointer, causing a use-after-free bug. This can lead to kernel memory corruption and crashes.
The issue specifically triggers on reduced-hardware EC platforms when the GPIO IRQ provider defers probing. The fix involves properly removing handlers in the error path to avoid leaving stale handler contexts.
How can this vulnerability impact me? :
This vulnerability can cause a use-after-free condition in the Linux kernel, which may lead to kernel crashes or memory corruption. Since the bug is triggered by unprivileged sysfs reads that cause AML to access EC OpRegion fields, it could potentially be exploited to destabilize the system or cause denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability triggers on reduced-hardware EC platforms when the GPIO IRQ provider defers probing, causing a use-after-free in the ACPI EC handler. It can be detected by observing kernel BUG messages related to KASAN slab-use-after-free in mutex_lock, specifically pointing to acpi_ec_space_handler and related ACPI EC functions.
Detection can involve monitoring kernel logs for messages like:
- BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)
- Call traces involving acpi_ec_space_handler and acpi_ev_address_space_dispatch.
Since the issue occurs when unprivileged sysfs reads cause AML to access an EC OpRegion, commands that read sysfs entries related to battery, thermal, or backlight may trigger the bug and produce kernel errors.
Suggested commands to help detect the issue include checking kernel logs with:
- dmesg | grep -i 'KASAN'
- journalctl -k | grep -i 'use-after-free'
- cat /sys/class/power_supply/*/capacity (or other sysfs reads related to battery, thermal, backlight) to see if they trigger kernel errors.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by ensuring proper cleanup of handlers on probe failure in the ACPI EC setup code. Immediate mitigation involves updating the Linux kernel to a version that includes the fix where ec_remove_handlers() is called in the error path of acpi_ec_setup().
Until the kernel is updated, avoid triggering unprivileged sysfs reads that access EC OpRegion fields (such as battery, thermal, or backlight) on affected reduced-hardware EC platforms.
If possible, restrict access to sysfs entries related to EC devices to prevent unprivileged users from triggering the use-after-free condition.