CVE-2026-31426

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()<br /> <br /> When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware<br /> platforms, it has already started the EC and installed the address<br /> space handler with the struct acpi_ec pointer as handler context.<br /> However, acpi_ec_setup() propagates the error without any cleanup.<br /> <br /> The caller acpi_ec_add() then frees the struct acpi_ec for non-boot<br /> instances, leaving a dangling handler context in ACPICA.<br /> <br /> Any subsequent AML evaluation that accesses an EC OpRegion field<br /> dispatches into acpi_ec_space_handler() with the freed pointer,<br /> causing a use-after-free:<br /> <br /> BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)<br /> Write of size 8 at addr ffff88800721de38 by task init/1<br /> Call Trace:<br /> <br /> mutex_lock (kernel/locking/mutex.c:289)<br /> acpi_ec_space_handler (drivers/acpi/ec.c:1362)<br /> acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)<br /> acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)<br /> acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)<br /> acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)<br /> acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)<br /> acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)<br /> <br /> <br /> Allocated by task 1:<br /> acpi_ec_alloc (drivers/acpi/ec.c:1424)<br /> acpi_ec_add (drivers/acpi/ec.c:1692)<br /> <br /> Freed by task 1:<br /> kfree (mm/slub.c:6876)<br /> acpi_ec_add (drivers/acpi/ec.c:1751)<br /> <br /> The bug triggers on reduced-hardware EC platforms (ec-&gt;gpe