CVE-2026-31740
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel rz-mtu3-cnt Counter Driver

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7. The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value. The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member. The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM. Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device. To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31740
EUVD
EUVD-2026-26553
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of the rz-mtu3 counter driver and PWM driver. Both drivers use hardware channels 1 and 2 and assign their own struct device pointer to the same dev member within the shared struct rz_mtu3_channel. Because these assignments race against each other, the dev member may end up pointing to the wrong device instance.

As a result, the counter sub-driver might perform runtime power management (PM) actions on the wrong device, depending on the order in which the drivers are probed. The fix involves using the parent pointer of the counter, which is correctly assigned during probe, instead of the shared dev member.


How can this vulnerability impact me? :

This vulnerability can cause the counter sub-driver to perform runtime power management operations on an incorrect device due to the dev member pointing to the wrong struct device instance. This mismanagement could lead to unexpected device behavior, potential device malfunctions, or instability in the system's power management.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is related to the Linux kernel's rz-mtu3 counter driver and PWM driver sharing and overwriting the dev member in struct rz_mtu3_channel, causing incorrect runtime PM actions.

To mitigate this vulnerability, update your Linux kernel to a version where this issue is fixed. The fix involves using the parent pointer of the counter, assigned during probe, instead of the shared dev member inside struct rz_mtu3_channel.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

There is no information available in the provided context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart