{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45914", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.085Z", "datePublished": "2026-05-27T12:17:29.426Z", "dateUpdated": "2026-05-27T12:17:29.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:17:29.426Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"hwmon: (ibmpex) fix use-after-free in high/low store\"\n\nThis reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d.\n\nJean Delvare points out that the patch does not completely\nfix the reported problem, that it in fact introduces a\n(new) race condition, and that it may actually not be needed in\nthe first place.\n\nVarious AI reviews agree. Specific and relevant AI feedback:\n\n\"\nThis reordering sets the driver data to NULL before removing the sensor\nattributes in the loop below.\n\nibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but\ndoes not check if it is NULL before dereferencing it to access\ndata->sensors[].\n\nIf a userspace process reads a sensor file (like temp1_input) while this\ndelete function is running, could it race with the dev_set_drvdata(...,\nNULL) call here and crash in ibmpex_show_sensor()?\n\nWould it be safer to keep the original order where device_remove_file() is\ncalled before clearing the driver data? device_remove_file() should wait\nfor any active sysfs callbacks to complete, which might already prevent the\nuse-after-free this patch intends to fix.\n\"\n\nRevert the offending patch. If it can be shown that the originally reported\nalleged race condition does indeed exist, it can always be re-introduced\nwith a complete fix."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hwmon/ibmpex.c"], "versions": [{"version": "3ce9b7ae9d4d148672b35147aaf7987a4f82bb94", "lessThan": "05112ba67c824ab416cd54307c0b50aba9f0047a", "status": "affected", "versionType": "git"}, {"version": "533ead425f8109b02fecc7e72d612b8898ec347a", "lessThan": "efd68429f23fb4015b0ebc2392334059e06fad18", "status": "affected", "versionType": "git"}, {"version": "fa37adcf1d564ef58b9dfb01b6c36d35c5294bad", "lessThan": "f448acd86835a650f9ea83460b9ca347d3aafba5", "status": "affected", "versionType": "git"}, {"version": "68d62e5bebbd118b763e8bb210d5cf2198ef450c", "lessThan": "914b47c9b824d3d74f31c764163edf93302100b1", "status": "affected", "versionType": "git"}, {"version": "5aa2139201667c1f644601e4529c4acd6bf8db5a", "lessThan": "14a38784e09aebc21207dc32fffa05247fc3dd64", "status": "affected", "versionType": "git"}, {"version": "6946c726c3f4c36f0f049e6f97e88c510b15f65d", "lessThan": "894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d", "status": "affected", "versionType": "git"}, {"version": "6946c726c3f4c36f0f049e6f97e88c510b15f65d", "lessThan": "8bde3e395a85017f12af2b0ba5c3684f5af9c006", "status": "affected", "versionType": "git"}, {"version": "5.10.248", "lessThan": "5.10.252", "status": "affected", "versionType": "semver"}, {"version": "6.1.160", "lessThan": "6.1.165", "status": "affected", "versionType": "semver"}, {"version": "6.6.120", "lessThan": "6.6.128", "status": "affected", "versionType": "semver"}, {"version": "6.12.64", "lessThan": "6.12.75", "status": "affected", "versionType": "semver"}, {"version": "6.18.3", "lessThan": "6.18.14", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hwmon/ibmpex.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.252", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.248", "versionEndExcluding": "5.10.252"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.160", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.120", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.64", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.3", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/05112ba67c824ab416cd54307c0b50aba9f0047a"}, {"url": "https://git.kernel.org/stable/c/efd68429f23fb4015b0ebc2392334059e06fad18"}, {"url": "https://git.kernel.org/stable/c/f448acd86835a650f9ea83460b9ca347d3aafba5"}, {"url": "https://git.kernel.org/stable/c/914b47c9b824d3d74f31c764163edf93302100b1"}, {"url": "https://git.kernel.org/stable/c/14a38784e09aebc21207dc32fffa05247fc3dd64"}, {"url": "https://git.kernel.org/stable/c/894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d"}, {"url": "https://git.kernel.org/stable/c/8bde3e395a85017f12af2b0ba5c3684f5af9c006"}], "title": "Revert \"hwmon: (ibmpex) fix use-after-free in high/low store\"", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"hwmon: (ibmpex) fix use-after-free in high/low store\"\n\nThis reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d.\n\nJean Delvare points out that the patch does not completely\nfix the reported problem, that it in fact introduces a\n(new) race condition, and that it may actually not be needed in\nthe first place.\n\nVarious AI reviews agree. Specific and relevant AI feedback:\n\n\"\nThis reordering sets the driver data to NULL before removing the sensor\nattributes in the loop below.\n\nibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but\ndoes not check if it is NULL before dereferencing it to access\ndata->sensors[].\n\nIf a userspace process reads a sensor file (like temp1_input) while this\ndelete function is running, could it race with the dev_set_drvdata(...,\nNULL) call here and crash in ibmpex_show_sensor()?\n\nWould it be safer to keep the original order where device_remove_file() is\ncalled before clearing the driver data? device_remove_file() should wait\nfor any active sysfs callbacks to complete, which might already prevent the\nuse-after-free this patch intends to fix.\n\"\n\nRevert the offending patch. If it can be shown that the originally reported\nalleged race condition does indeed exist, it can always be re-introduced\nwith a complete fix."}], "id": "CVE-2026-45914", "lastModified": "2026-05-27T14:48:03.013", "metrics": {}, "published": "2026-05-27T14:17:06.180", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05112ba67c824ab416cd54307c0b50aba9f0047a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/14a38784e09aebc21207dc32fffa05247fc3dd64"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8bde3e395a85017f12af2b0ba5c3684f5af9c006"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/914b47c9b824d3d74f31c764163edf93302100b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/efd68429f23fb4015b0ebc2392334059e06fad18"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f448acd86835a650f9ea83460b9ca347d3aafba5"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"created": "2026-05-27T16:45:38.113862+00:00", "title": "Race Condition in IBM PEX Hardware Monitoring Driver Leading to Crash", "updated": "2026-05-27T16:45:38.113873+00:00", "vendors": [], "weaknesses": ["CWE-416", "CWE-476"]}