PT-2026-32352 · Linux · Linux

Published

2026-04-13

·

Updated

2026-04-13

·

CVE-2026-31426

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
ACPI: EC: clean up handlers on probe failure in acpi ec setup()
When ec install handlers() returns -EPROBE DEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpi ec pointer as handler context. However, acpi ec setup() propagates the error without any cleanup.
The caller acpi ec add() then frees the struct acpi ec for non-boot instances, leaving a dangling handler context in ACPICA.
Any subsequent AML evaluation that accesses an EC OpRegion field dispatches into acpi ec space handler() with the freed pointer, causing a use-after-free:
BUG: KASAN: slab-use-after-free in mutex lock (kernel/locking/mutex.c:289) Write of size 8 at addr ffff88800721de38 by task init/1 Call Trace: mutex lock (kernel/locking/mutex.c:289) acpi ec space handler (drivers/acpi/ec.c:1362) acpi ev address space dispatch (drivers/acpi/acpica/evregion.c:293) acpi ex access region (drivers/acpi/acpica/exfldio.c:246) acpi ex field datum io (drivers/acpi/acpica/exfldio.c:509) acpi ex extract from field (drivers/acpi/acpica/exfldio.c:700) acpi ex read data from field (drivers/acpi/acpica/exfield.c:327) acpi ex resolve node to value (drivers/acpi/acpica/exresolv.c:392)
Allocated by task 1: acpi ec alloc (drivers/acpi/ec.c:1424) acpi ec add (drivers/acpi/ec.c:1692)
Freed by task 1: kfree (mm/slub.c:6876) acpi ec add (drivers/acpi/ec.c:1751)
The bug triggers on reduced-hardware EC platforms (ec->gpe < 0) when the GPIO IRQ provider defers probing. Once the stale handler exists, any unprivileged sysfs read that causes AML to touch an EC OpRegion (battery, thermal, backlight) exercises the dangling pointer.
Fix this by calling ec remove handlers() in the error path of acpi ec setup() before clearing first ec. ec remove handlers() checks each EC FLAGS * bit before acting, so it is safe to call regardless of how far ec install handlers() progressed:
-ENODEV (handler not installed): only calls acpi ec stop() -EPROBE DEFER (handler installed): removes handler, stops EC

Related Identifiers

CVE-2026-31426

Affected Products

Linux