CVE-2026-23101

MEDIUM EPSS 2.1%
Published Feb 4, 20264mo ago · Modified Jun 17, 20262w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ------------[ cut here ]------------ WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 ... Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-908

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥3.7  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a
    Patch