Linux Kernel Vulnerability in PM8001 Driver by Linux Foundation
CVE-2026-23306

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-23306?

The Linux kernel's PM8001 driver contains a use-after-free vulnerability due to improper handling of task statuses. Following a refactor in pm8001_queue_command(), an error handling path was introduced that leads to a double free scenario. When a task operation fails due to a device being offline, the function mistakenly indicates that the task was processed and frees the associated resources. This can result in a crash or unpredictable behavior if the task is freed again by the caller, highlighting the need for careful resource management in kernel-level code.

Affected Version(s)

Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0

Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0 < 8b00427317ba7b7ec91252b034009f638d0f311b

Linux e29c47fe8946cc732b0e0d393b65b13c84bb69d0

References

https://git.kernel.org/stable/c/ebbb852ffbc952b95ddb7e387...

https://git.kernel.org/stable/c/8b00427317ba7b7ec91252b03...

https://git.kernel.org/stable/c/c5dc39f8ae055520fd778b7fb...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Jan 13, 2026

CVE-2026-23306 Data

JSON