CVE-2026-46292
Received Received - Intake
Runtime PM Leak in Linux Kernel PM Domain Core

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: pmdomain: core: Fix detach procedure for virtual devices in genpd If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(), genpd calls pm_runtime_enable() for the corresponding virtual device that it registers. While this avoids boilerplate code in drivers, there is no corresponding call to pm_runtime_disable() in genpd_dev_pm_detach(). This means these virtual devices are typically detached from its genpd, while runtime PM remains enabled for them, which is not how things are designed to work. In worst cases it may lead to critical errors, like a NULL pointer dereference bug in genpd_runtime_suspend(), which was recently reported. For another case, we may end up keeping an unnecessary vote for a performance state for the device. To fix these problems, let's add this missing call to pm_runtime_disable() in genpd_dev_pm_detach().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46292
EUVD
EUVD-2026-35158
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's power management domain (pmdomain) core, specifically in the handling of virtual devices within the generic power domain (genpd) framework.

When a device is attached to a power management domain using genpd_dev_pm_attach_by_id(), the system enables runtime power management (pm_runtime_enable()) for the associated virtual device. However, when the device is detached using genpd_dev_pm_detach(), the corresponding call to disable runtime power management (pm_runtime_disable()) is missing.

As a result, virtual devices remain with runtime power management enabled even after detachment, which is unintended behavior. This can cause critical errors such as NULL pointer dereferences in genpd_runtime_suspend() and may also lead to unnecessary power state votes, impacting system performance and stability.

The fix involves adding the missing pm_runtime_disable() call in the detach procedure to properly disable runtime power management when virtual devices are detached.

Impact Analysis

This vulnerability can impact you by causing critical errors in the Linux kernel, such as NULL pointer dereference bugs during power management operations.

Such errors can lead to system instability, crashes, or unexpected behavior in devices managed by the affected power management domain.

Additionally, the vulnerability may cause the system to maintain unnecessary power state votes, potentially leading to inefficient power usage and degraded performance.

Mitigation Strategies

The vulnerability is fixed by adding a missing call to pm_runtime_disable() in the genpd_dev_pm_detach() function of the Linux kernel. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart