CVE-2026-31741
Analyzed Analyzed - Analysis Complete
Runtime PM Counter Underflow in RZ MTU3 Counter

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: prevent counter from being toggled multiple times Runtime PM counter is incremented / decremented each time the sysfs enable file is written to. If user writes 0 to the sysfs enable file multiple times, runtime PM usage count underflows, generating the following message. rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow! At the same time, hardware registers end up being accessed with clocks off in rz_mtu3_terminate_counter() to disable an already disabled channel. If user writes 1 to the sysfs enable file multiple times, runtime PM usage count will be incremented each time, requiring the same number of 0 writes to get it back to 0. If user writes 0 to the sysfs enable file while PWM is in progress, PWM is stopped without counter being the owner of the underlying MTU3 channel. Check against the cached count_is_enabled value and exit if the user is trying to set the same enable value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31741
EUVD
EUVD-2026-26554
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.4 (inc) to 6.6.134 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's rz-mtu3 counter component. It occurs because the runtime power management (PM) counter can be toggled multiple times incorrectly when writing to the sysfs enable file.

If a user writes 0 multiple times to the sysfs enable file, the runtime PM usage count underflows, causing an error message and potentially accessing hardware registers with clocks turned off. Similarly, writing 1 multiple times increments the usage count each time, requiring multiple 0 writes to reset it.

Additionally, if 0 is written while a PWM (Pulse Width Modulation) operation is in progress, the PWM stops without the counter properly owning the underlying MTU3 channel. The fix involves checking the cached enable state and preventing redundant toggling.

Impact Analysis

This vulnerability can lead to incorrect runtime power management behavior, such as underflowing the usage count and accessing hardware registers when clocks are off. This may cause instability or unexpected behavior in hardware components controlled by the rz-mtu3 counter.

It can also cause PWM operations to stop unexpectedly without proper ownership, potentially disrupting hardware functions relying on PWM signals.

Detection Guidance

This vulnerability can be detected by monitoring system logs for the specific error message indicating a runtime PM usage count underflow.

  • Check system logs for the message: "rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!"
  • Use commands like `dmesg | grep 'rz-mtu3-counter'` or `journalctl -k | grep 'rz-mtu3-counter'` to find occurrences of this message.
Mitigation Strategies

To mitigate this vulnerability, avoid writing the same enable value multiple times to the sysfs enable file for the rz-mtu3-counter device.

Specifically, ensure that writes to the sysfs enable file check against the cached count_is_enabled value and exit if the user attempts to set the same enable value repeatedly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart