{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: thermal: core: Address thermal zone removal races with resume",
    "id" : "2464436",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464436"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nthermal: core: Address thermal zone removal races with resume\nSince thermal_zone_pm_complete() and thermal_zone_device_resume()\nre-initialize the poll_queue delayed work for the given thermal zone,\nthe cancel_delayed_work_sync() in thermal_zone_device_unregister()\nmay miss some already running work items and the thermal zone may\nbe freed prematurely [1].\nThere are two failing scenarios that both start with\nrunning thermal_pm_notify_complete() right before invoking\nthermal_zone_device_unregister() for one of the thermal zones.\nIn the first scenario, there is a work item already running for\nthe given thermal zone when thermal_pm_notify_complete() calls\nthermal_zone_pm_complete() for that thermal zone and it continues to\nrun when thermal_zone_device_unregister() starts.  Since the poll_queue\ndelayed work has been re-initialized by thermal_pm_notify_complete(), the\nrunning work item will be missed by the cancel_delayed_work_sync() in\nthermal_zone_device_unregister() and if it continues to run past the\nfreeing of the thermal zone object, a use-after-free will occur.\nIn the second scenario, thermal_zone_device_resume() queued up by\nthermal_pm_notify_complete() runs right after the thermal_zone_exit()\ncalled by thermal_zone_device_unregister() has returned.  The poll_queue\ndelayed work is re-initialized by it before cancel_delayed_work_sync() is\ncalled by thermal_zone_device_unregister(), so it may continue to run\nafter the freeing of the thermal zone object, which also leads to a\nuse-after-free.\nAddress the first failing scenario by ensuring that no thermal work\nitems will be running when thermal_pm_notify_complete() is called.\nFor this purpose, first move the cancel_delayed_work() call from\nthermal_zone_pm_complete() to thermal_zone_pm_prepare() to prevent\nnew work from entering the workqueue going forward.  Next, switch\nover to using a dedicated workqueue for thermal events and update\nthe code in thermal_pm_notify() to flush that workqueue after\nthermal_pm_notify_prepare() has returned which will take care of\nall leftover thermal work already on the workqueue (that leftover\nwork would do nothing useful anyway because all of the thermal zones\nhave been flagged as suspended).\nThe second failing scenario is addressed by adding a tz->state check\nto thermal_zone_device_resume() to prevent it from re-initializing\nthe poll_queue delayed work if the thermal zone is going away.\nNote that the above changes will also facilitate relocating the suspend\nand resume of thermal zones closer to the suspend and resume of devices,\nrespectively.", "A flaw was found in the Linux kernel's thermal management subsystem. A race condition can occur when thermal zones are removed while the system is resuming from a power-saving state. This timing issue can cause the system to attempt to use memory that has already been freed, leading to a use-after-free vulnerability. The most significant consequence of this flaw is potential system instability or a denial of service." ],
  "statement" : "Thermal core had races between zone removal and resume; upstream serializes lifetimes correctly. Red Hat notes impact as local power/thermal management stability. Update kernels—thermal core is not practically unloadable.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31731\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31731\nhttps://lore.kernel.org/linux-cve-announce/2026050136-CVE-2026-31731-b01e@gregkh/T" ],
  "name" : "CVE-2026-31731",
  "csaw" : false
}