{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-13T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()",
    "id" : "2457827",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457827"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nACPI: EC: clean up handlers on probe failure in acpi_ec_setup()\nWhen ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware\nplatforms, it has already started the EC and installed the address\nspace handler with the struct acpi_ec pointer as handler context.\nHowever, acpi_ec_setup() propagates the error without any cleanup.\nThe caller acpi_ec_add() then frees the struct acpi_ec for non-boot\ninstances, leaving a dangling handler context in ACPICA.\nAny subsequent AML evaluation that accesses an EC OpRegion field\ndispatches into acpi_ec_space_handler() with the freed pointer,\ncausing a use-after-free:\nBUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)\nWrite of size 8 at addr ffff88800721de38 by task init/1\nCall Trace:\n<TASK>\nmutex_lock (kernel/locking/mutex.c:289)\nacpi_ec_space_handler (drivers/acpi/ec.c:1362)\nacpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)\nacpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)\nacpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)\nacpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)\nacpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)\nacpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)\n</TASK>\nAllocated by task 1:\nacpi_ec_alloc (drivers/acpi/ec.c:1424)\nacpi_ec_add (drivers/acpi/ec.c:1692)\nFreed by task 1:\nkfree (mm/slub.c:6876)\nacpi_ec_add (drivers/acpi/ec.c:1751)\nThe bug triggers on reduced-hardware EC platforms (ec->gpe < 0)\nwhen the GPIO IRQ provider defers probing. Once the stale handler\nexists, any unprivileged sysfs read that causes AML to touch an\nEC OpRegion (battery, thermal, backlight) exercises the dangling\npointer.\nFix this by calling ec_remove_handlers() in the error path of\nacpi_ec_setup() before clearing first_ec. ec_remove_handlers()\nchecks each EC_FLAGS_* bit before acting, so it is safe to call\nregardless of how far ec_install_handlers() progressed:\n-ENODEV  (handler not installed): only calls acpi_ec_stop()\n-EPROBE_DEFER (handler installed): removes handler, stops EC", "A flaw was found in the Linux kernel's Advanced Configuration and Power Interface (ACPI) Embedded Controller (EC) subsystem. During the setup of the EC handler, if a probe deferral occurs on specific hardware, the system fails to properly deallocate resources. This oversight creates a use-after-free vulnerability, allowing an unprivileged local attacker to trigger a system crash, resulting in a Denial of Service (DoS). The attacker can exploit this by performing certain system file system (sysfs) reads that interact with EC OpRegion fields." ],
  "statement" : "This affects reduced-hardware EC setups where probe defers after the handler is partially installed. The patch removes handlers on the error path before dropping the EC object. Follow-on AML can be triggered from paths including sysfs-driven configuration reads; impact is at least denial of service via crash, and memory corruption warrants manual review for any broader confidentiality or integrity claim.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31426\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31426\nhttps://lore.kernel.org/linux-cve-announce/2026041357-CVE-2026-31426-bfb3@gregkh/T" ],
  "name" : "CVE-2026-31426",
  "csaw" : false
}