CVE-2026-46021

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak. In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case. Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13	Patch
https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440	Patch
https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06	Patch
https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761	Patch
https://git.kernel.org/stable/c/8e563d8db50f303171aceb79eec0807e7ba06951
https://git.kernel.org/stable/c/a172fa18bc370b776ac1510abb0dcb50a7a35fac
https://git.kernel.org/stable/c/d4eb861adde5ce22e459fbd29366f47bb2167977
https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

19 Jun 2026, 13:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/8e563d8db50f303171aceb79eec0807e7ba06951 - () https://git.kernel.org/stable/c/a172fa18bc370b776ac1510abb0dcb50a7a35fac - () https://git.kernel.org/stable/c/d4eb861adde5ce22e459fbd29366f47bb2167977 -

16 Jun 2026, 15:55

Type	Values Removed	Values Added
CWE		CWE-401
CPE		cpe:2.3:o:linux:linux_kernel::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13 -~~	() https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13 - Patch
References	~~() https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440 -~~	() https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440 - Patch
References	~~() https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06 -~~	() https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06 - Patch
References	~~() https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761 -~~	() https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761 - Patch
References	~~() https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45 -~~	() https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45 - Patch
First Time		Linux linux Kernel Linux

27 May 2026, 14:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 14:17

Updated : 2026-06-19 13:16

NVD link : CVE-2026-46021

Mitre link : CVE-2026-46021

CVE.ORG link : CVE-2026-46021

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

5.5 /10