HIGH
thermal Registration UAF
CVE-2026-43332
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone device registration error path If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device's kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely. Add the missing wait_for_completion() call to the thermal zone device registration error path.
02KernelScan AI Analysis
Risk summary
A race condition in thermal zone device registration can lead to use-after-free when userspace accesses thermal sysfs files during registration failure. This could cause kernel memory corruption or system crashes on systems with thermal management.
Vulnerability analysis
The vulnerability occurs in thermal_zone_device_register_with_trips() error handling where put_device() is called without waiting for device removal completion. If userspace holds a reference to the thermal zone's kobject via sysfs during registration failure, the thermal zone structure may be freed prematurely while still referenced, creating a use-after-free condition. The fix adds wait_for_completion(&tz->removal) to ensure proper synchronization before freeing resources.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.81 | c4c7219e9331 |
| 6.18 | 6.18.22 | 4d390f0e507d |
| 6.19 | 6.19.12 | 9e07e3b81807 |
| 6.6 | 6.6.134 | 9e796001af97 |
| 6.8 | 6.8 | 604da9c04c21 |
| mainline | 7.0 | — |