CVE-2026-31741
Awaiting Analysis Awaiting Analysis - Queue
Runtime PM Counter Underflow in RZ MTU3 Counter

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: prevent counter from being toggled multiple times Runtime PM counter is incremented / decremented each time the sysfs enable file is written to. If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message. rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow! At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel. If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0. If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel. Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31741
EUVD
EUVD-2026-26554
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's rz-mtu3 counter component. It occurs because the runtime power management (PM) counter can be toggled multiple times incorrectly when writing to the sysfs enable file.

If a user writes 0 multiple times to the sysfs enable file, the runtime PM usage count underflows, causing an error message and potentially accessing hardware registers with clocks turned off. Similarly, writing 1 multiple times increments the usage count each time, requiring multiple 0 writes to reset it.

Additionally, if 0 is written while a PWM (Pulse Width Modulation) operation is in progress, the PWM stops without the counter properly owning the underlying MTU3 channel. The fix involves checking the cached enable state and preventing redundant toggling.


How can this vulnerability impact me? :

This vulnerability can lead to incorrect runtime power management behavior, such as underflowing the usage count and accessing hardware registers when clocks are off. This may cause instability or unexpected behavior in hardware components controlled by the rz-mtu3 counter.

It can also cause PWM operations to stop unexpectedly without proper ownership, potentially disrupting hardware functions relying on PWM signals.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring system logs for the specific error message indicating a runtime PM usage count underflow.

  • Check system logs for the message: "rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!"
  • Use commands like `dmesg | grep 'rz-mtu3-counter'` or `journalctl -k | grep 'rz-mtu3-counter'` to find occurrences of this message.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, avoid writing the same enable value multiple times to the sysfs enable file for the rz-mtu3-counter device.

Specifically, ensure that writes to the sysfs enable file check against the cached count_is_enabled value and exit if the user attempts to set the same enable value repeatedly.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart