CVE-2026-45914

Source
https://cve.org/CVERecord?id=CVE-2026-45914
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45914.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45914
Downstream
Published
2026-05-27T12:17:29.426Z
Modified
2026-07-08T08:13:41.619213868Z
Summary
Revert "hwmon: (ibmpex) fix use-after-free in high/low store"
Details

In the Linux kernel, the following vulnerability has been resolved:

Revert "hwmon: (ibmpex) fix use-after-free in high/low store"

This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d.

Jean Delvare points out that the patch does not completely fix the reported problem, that it in fact introduces a (new) race condition, and that it may actually not be needed in the first place.

Various AI reviews agree. Specific and relevant AI feedback:

" This reordering sets the driver data to NULL before removing the sensor attributes in the loop below.

ibmpexshowsensor() retrieves this driver data via devgetdrvdata() but does not check if it is NULL before dereferencing it to access data->sensors[].

If a userspace process reads a sensor file (like temp1input) while this delete function is running, could it race with the devsetdrvdata(..., NULL) call here and crash in ibmpexshow_sensor()?

Would it be safer to keep the original order where deviceremovefile() is called before clearing the driver data? deviceremovefile() should wait for any active sysfs callbacks to complete, which might already prevent the use-after-free this patch intends to fix. "

Revert the offending patch. If it can be shown that the originally reported alleged race condition does indeed exist, it can always be re-introduced with a complete fix.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45914.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3ce9b7ae9d4d148672b35147aaf7987a4f82bb94
Fixed
05112ba67c824ab416cd54307c0b50aba9f0047a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
533ead425f8109b02fecc7e72d612b8898ec347a
Fixed
efd68429f23fb4015b0ebc2392334059e06fad18
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
fa37adcf1d564ef58b9dfb01b6c36d35c5294bad
Fixed
f448acd86835a650f9ea83460b9ca347d3aafba5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
68d62e5bebbd118b763e8bb210d5cf2198ef450c
Fixed
914b47c9b824d3d74f31c764163edf93302100b1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5aa2139201667c1f644601e4529c4acd6bf8db5a
Fixed
14a38784e09aebc21207dc32fffa05247fc3dd64
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6946c726c3f4c36f0f049e6f97e88c510b15f65d
Fixed
894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d
Fixed
8bde3e395a85017f12af2b0ba5c3684f5af9c006
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5.10.248
Fixed
5.10.252
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.1.160
Fixed
6.1.165
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.6.120
Fixed
6.6.128
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.12.64
Fixed
6.12.75
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6.18.3
Fixed
6.18.14

Affected versions

v5.*
v5.10.248
v5.10.249
v5.10.250
v5.10.251
v6.*
v6.1.160
v6.1.161
v6.1.162
v6.1.163
v6.1.164
v6.12.64
v6.12.65
v6.12.66
v6.12.67
v6.12.68
v6.12.69
v6.12.70
v6.12.71
v6.12.72
v6.12.73
v6.12.74
v6.18.10
v6.18.11
v6.18.12
v6.18.13
v6.18.3
v6.18.4
v6.18.5
v6.18.6
v6.18.7
v6.18.8
v6.18.9
v6.6.120
v6.6.121
v6.6.122
v6.6.123
v6.6.124
v6.6.125
v6.6.126
v6.6.127

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45914.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.252
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45914.json"