{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: PM: runtime: Fix a race condition related to device removal",
    "id" : "2454820",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454820"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-364",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nPM: runtime: Fix a race condition related to device removal\nThe following code in pm_runtime_work() may dereference the dev->parent\npointer after the parent device has been freed:\n/* Maybe the parent is now able to suspend. */\nif (parent && !parent->power.ignore_children) {\nspin_unlock(&dev->power.lock);\nspin_lock(&parent->power.lock);\nrpm_idle(parent, RPM_ASYNC);\nspin_unlock(&parent->power.lock);\nspin_lock(&dev->power.lock);\n}\nFix this by inserting a flush_work() call in pm_runtime_remove().\nWithout this patch blktest block/001 triggers the following complaint\nsporadically:\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\nWorkqueue: pm pm_runtime_work\nCall Trace:\n<TASK>\ndump_stack_lvl+0x61/0x80\nprint_address_description.constprop.0+0x8b/0x310\nprint_report+0xfd/0x1d7\nkasan_report+0xd8/0x1d0\n__kasan_check_byte+0x42/0x60\nlock_acquire.part.0+0x38/0x230\nlock_acquire+0x70/0x160\n_raw_spin_lock+0x36/0x50\nrpm_suspend+0xc6a/0xfe0\nrpm_idle+0x578/0x770\npm_runtime_work+0xee/0x120\nprocess_one_work+0xde3/0x1410\nworker_thread+0x5eb/0xfe0\nkthread+0x37b/0x480\nret_from_fork+0x6cb/0x920\nret_from_fork_asm+0x11/0x20\n</TASK>\nAllocated by task 4314:\nkasan_save_stack+0x2a/0x50\nkasan_save_track+0x18/0x40\nkasan_save_alloc_info+0x3d/0x50\n__kasan_kmalloc+0xa0/0xb0\n__kmalloc_noprof+0x311/0x990\nscsi_alloc_target+0x122/0xb60 [scsi_mod]\n__scsi_scan_target+0x101/0x460 [scsi_mod]\nscsi_scan_channel+0x179/0x1c0 [scsi_mod]\nscsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\nstore_scan+0x2d2/0x390 [scsi_mod]\ndev_attr_store+0x43/0x80\nsysfs_kf_write+0xde/0x140\nkernfs_fop_write_iter+0x3ef/0x670\nvfs_write+0x506/0x1470\nksys_write+0xfd/0x230\n__x64_sys_write+0x76/0xc0\nx64_sys_call+0x213/0x1810\ndo_syscall_64+0xee/0xfc0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\nFreed by task 4314:\nkasan_save_stack+0x2a/0x50\nkasan_save_track+0x18/0x40\nkasan_save_free_info+0x3f/0x50\n__kasan_slab_free+0x67/0x80\nkfree+0x225/0x6c0\nscsi_target_dev_release+0x3d/0x60 [scsi_mod]\ndevice_release+0xa3/0x220\nkobject_cleanup+0x105/0x3a0\nkobject_put+0x72/0xd0\nput_device+0x17/0x20\nscsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\ndevice_release+0xa3/0x220\nkobject_cleanup+0x105/0x3a0\nkobject_put+0x72/0xd0\nput_device+0x17/0x20\nscsi_device_put+0x7f/0xc0 [scsi_mod]\nsdev_store_delete+0xa5/0x120 [scsi_mod]\ndev_attr_store+0x43/0x80\nsysfs_kf_write+0xde/0x140\nkernfs_fop_write_iter+0x3ef/0x670\nvfs_write+0x506/0x1470\nksys_write+0xfd/0x230\n__x64_sys_write+0x76/0xc0\nx64_sys_call+0x213/0x1810", "A flaw was found in the Linux kernel. A race condition within the power management (PM) runtime component, specifically during device removal, can lead to a use-after-free vulnerability. This allows a local attacker to potentially cause memory corruption. The most significant impact is a system crash, leading to a denial of service (DoS)." ],
  "statement" : "`pm_runtime_work()` could touch a parent device after it was freed when runtime work raced removal. The fix flushes pending work in `pm_runtime_remove()`. Triggers are timing-dependent and often seen under stress (for example block tests); practical impact is instability or crash.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23452\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23452\nhttps://lore.kernel.org/linux-cve-announce/2026040317-CVE-2026-23452-4c2b@gregkh/T" ],
  "name" : "CVE-2026-23452",
  "csaw" : false
}