CVE-2026-31486
Published: 22 April 2026
Summary
CVE-2026-31486 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through kernel patching directly resolves the improper locking flaw preventing race condition exploitation in pmbus regulator operations.
Prevents unauthorized concurrent access to shared PMBus registers and data, directly mitigating race conditions from unprotected regulator functions.
Vulnerability scanning identifies the presence of this kernel race condition flaw for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in kernel regulator ops (pmbus) directly enables local low-priv exploitation causing runtime data corruption (integrity impact) and system crashes/unavailability (availability impact).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could…
more
lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h.
Deeper analysisAI
CVE-2026-31486 is a vulnerability in the Linux kernel's hwmon pmbus/core subsystem, where regulator operations such as pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data without protection from the update_lock mutex. This lack of synchronization can lead to race conditions. The issue is scored at CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-667 (Improper Locking).
A local attacker with low privileges can exploit these race conditions by concurrently invoking the unprotected regulator functions, potentially causing high-impact disruptions to data integrity and system availability, though confidentiality is unaffected.
Mitigation is provided through kernel patches available in the referenced commits, which add mutex protection to the regulator operations while preventing deadlocks. The fix reworks pmbus_regulator_notify() to use a worker function for sending notifications outside the mutex-held context, storing events in a per-page atomic bitmask. The worker is initialized during regulator registration and cancelled on device removal using devm_add_action_or_reset().
Details
- CWE(s)