CVE-2026-31486
Race Condition in Linux Kernel PMBus Regulator Operations
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 3.19 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 3.19.1 (inc) to 6.18.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's hardware monitoring (hwmon) subsystem, specifically in the pmbus/core regulator operations. Certain functions that access PMBus registers and shared dataβnamely pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()βwere not protected by a mutex, which could lead to race conditions.
However, simply adding mutex protection caused deadlocks because the notification function pmbus_regulator_notify() is often called with the mutex already held. If a regulator callback then calls one of the voltage functions, it tries to acquire the same mutex again, causing a deadlock.
The fix involved reworking pmbus_regulator_notify() to use a worker function that sends notifications outside the mutex protection. Events are stored atomically and processed asynchronously, preventing deadlocks while maintaining thread safety.
How can this vulnerability impact me? :
This vulnerability can lead to race conditions in the Linux kernel's hardware monitoring subsystem, which may cause unpredictable behavior or system instability.
Additionally, attempts to fix the issue by adding mutex protection without proper design could cause deadlocks, potentially freezing parts of the system or causing crashes.
Overall, the impact could be system reliability issues, especially in environments relying on accurate hardware monitoring and regulation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the pmbus regulator operations race condition.
The fix involves reworking pmbus_regulator_notify() to use a worker function for notifications outside mutex protection, preventing deadlocks.
Ensure that the kernel you use has this patch applied to protect regulator operations with mutex and avoid race conditions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.