CVE-2026-23101

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> leds: led-class: Only Add LED to leds_list when it is fully ready<br /> <br /> Before this change the LED was added to leds_list before led_init_core()<br /> gets called adding it the list before led_classdev.set_brightness_work gets<br /> initialized.<br /> <br /> This leaves a window where led_trigger_register() of a LED&amp;#39;s default<br /> trigger will call led_trigger_set() which calls led_set_brightness()<br /> which in turn will end up queueing the *uninitialized*<br /> led_classdev.set_brightness_work.<br /> <br /> This race gets hit by the lenovo-thinkpad-t14s EC driver which registers<br /> 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick<br /> succession. The first led_classdev_register() causes an async modprobe of<br /> snd_ctl_led to run and that async modprobe manages to exactly hit<br /> the window where the second LED is on the leds_list without led_init_core()<br /> being called for it, resulting in:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390<br /> Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025<br /> ...<br /> Call trace:<br /> __flush_work+0x344/0x390 (P)<br /> flush_work+0x2c/0x50<br /> led_trigger_set+0x1c8/0x340<br /> led_trigger_register+0x17c/0x1c0<br /> led_trigger_register_simple+0x84/0xe8<br /> snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]<br /> do_one_initcall+0x5c/0x318<br /> do_init_module+0x9c/0x2b8<br /> load_module+0x7e0/0x998<br /> <br /> Close the race window by moving the adding of the LED to leds_list to<br /> after the led_init_core() call.