CVE-2026-31426
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
13/04/2026
Última modificación:
13/04/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()<br />
<br />
When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware<br />
platforms, it has already started the EC and installed the address<br />
space handler with the struct acpi_ec pointer as handler context.<br />
However, acpi_ec_setup() propagates the error without any cleanup.<br />
<br />
The caller acpi_ec_add() then frees the struct acpi_ec for non-boot<br />
instances, leaving a dangling handler context in ACPICA.<br />
<br />
Any subsequent AML evaluation that accesses an EC OpRegion field<br />
dispatches into acpi_ec_space_handler() with the freed pointer,<br />
causing a use-after-free:<br />
<br />
BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)<br />
Write of size 8 at addr ffff88800721de38 by task init/1<br />
Call Trace:<br />
<br />
mutex_lock (kernel/locking/mutex.c:289)<br />
acpi_ec_space_handler (drivers/acpi/ec.c:1362)<br />
acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)<br />
acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)<br />
acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)<br />
acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)<br />
acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)<br />
acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)<br />
<br />
<br />
Allocated by task 1:<br />
acpi_ec_alloc (drivers/acpi/ec.c:1424)<br />
acpi_ec_add (drivers/acpi/ec.c:1692)<br />
<br />
Freed by task 1:<br />
kfree (mm/slub.c:6876)<br />
acpi_ec_add (drivers/acpi/ec.c:1751)<br />
<br />
The bug triggers on reduced-hardware EC platforms (ec->gpe
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/022d1727f33ff90b3e1775125264e3023901952e
- https://git.kernel.org/stable/c/808c0f156f48d5b8ca34088cbbfba8444e606cbc
- https://git.kernel.org/stable/c/9c886e63b69658959633937e3acb7ca8addf7499
- https://git.kernel.org/stable/c/be1a827e15991e874e0d5222d0ea5fdad01960fe
- https://git.kernel.org/stable/c/d04c007047c88158141d9bd5eac761cdadd3782c
- https://git.kernel.org/stable/c/f6484cadbcaf26b5844b51bd7307a663dda48ef6



