CVE-2026-31740 (GCVE-0-2026-31740)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-11 22:14
VLAI
Title
counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
Summary
In the Linux kernel, the following vulnerability has been resolved: counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member The counter driver can use HW channels 1 and 2, while the PWM driver can use HW channels 0, 1, 2, 3, 4, 6, 7. The dev member is assigned both by the counter driver and the PWM driver for channels 1 and 2, to their own struct device instance, overwriting the previous value. The sub-drivers race to assign their own struct device pointer to the same struct rz_mtu3_channel's dev member. The dev member of struct rz_mtu3_channel is used by the counter sub-driver for runtime PM. Depending on the probe order of the counter and PWM sub-drivers, the dev member may point to the wrong struct device instance, causing the counter sub-driver to do runtime PM actions on the wrong device. To fix this, use the parent pointer of the counter, which is assigned during probe to the correct struct device, not the struct device pointer inside the shared struct rz_mtu3_channel.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 28a371be901ef44ee03726c2575d7d6795521fe0 (git)
Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 633dfbf0eb2766c597c1a59dd83035c82e14791d (git)
Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 6562290225c197e2e193a53de2a517815288dcd1 (git)
Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 63be324c795262f0e316c6fe9b329d83afa1ec93 (git)
Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 2932095c114b98cbb40ccf34fc00d613cb17cead (git)
Create a notification for this product.
Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.134 , ≤ 6.6.* (semver)
Unaffected: 6.12.81 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/counter/rz-mtu3-cnt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "28a371be901ef44ee03726c2575d7d6795521fe0",
              "status": "affected",
              "version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
              "versionType": "git"
            },
            {
              "lessThan": "633dfbf0eb2766c597c1a59dd83035c82e14791d",
              "status": "affected",
              "version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
              "versionType": "git"
            },
            {
              "lessThan": "6562290225c197e2e193a53de2a517815288dcd1",
              "status": "affected",
              "version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
              "versionType": "git"
            },
            {
              "lessThan": "63be324c795262f0e316c6fe9b329d83afa1ec93",
              "status": "affected",
              "version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
              "versionType": "git"
            },
            {
              "lessThan": "2932095c114b98cbb40ccf34fc00d613cb17cead",
              "status": "affected",
              "version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/counter/rz-mtu3-cnt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel\u0027s dev member\n\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\n\nThe dev member is assigned both by the counter driver and the PWM driver\nfor channels 1 and 2, to their own struct device instance, overwriting\nthe previous value.\n\nThe sub-drivers race to assign their own struct device pointer to the\nsame struct rz_mtu3_channel\u0027s dev member.\n\nThe dev member of struct rz_mtu3_channel is used by the counter\nsub-driver for runtime PM.\n\nDepending on the probe order of the counter and PWM sub-drivers, the\ndev member may point to the wrong struct device instance, causing the\ncounter sub-driver to do runtime PM actions on the wrong device.\n\nTo fix this, use the parent pointer of the counter, which is assigned\nduring probe to the correct struct device, not the struct device pointer\ninside the shared struct rz_mtu3_channel."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:14:50.719Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0"
        },
        {
          "url": "https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93"
        },
        {
          "url": "https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead"
        }
      ],
      "title": "counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel\u0027s dev member",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31740",
    "datePublished": "2026-05-01T14:14:36.183Z",
    "dateReserved": "2026-03-09T15:48:24.138Z",
    "dateUpdated": "2026-05-11T22:14:50.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31740",
      "date": "2026-06-14",
      "epss": "0.00015",
      "percentile": "0.03326"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31740\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:36.710\",\"lastModified\":\"2026-05-07T19:56:03.380\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel\u0027s dev member\\n\\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\\n\\nThe dev member is assigned both by the counter driver and the PWM driver\\nfor channels 1 and 2, to their own struct device instance, overwriting\\nthe previous value.\\n\\nThe sub-drivers race to assign their own struct device pointer to the\\nsame struct rz_mtu3_channel\u0027s dev member.\\n\\nThe dev member of struct rz_mtu3_channel is used by the counter\\nsub-driver for runtime PM.\\n\\nDepending on the probe order of the counter and PWM sub-drivers, the\\ndev member may point to the wrong struct device instance, causing the\\ncounter sub-driver to do runtime PM actions on the wrong device.\\n\\nTo fix this, use the parent pointer of the counter, which is assigned\\nduring probe to the correct struct device, not the struct device pointer\\ninside the shared struct rz_mtu3_channel.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4\",\"versionEndExcluding\":\"6.6.134\",\"matchCriteriaId\":\"C1AFB41D-EE40-4D1A-93ED-E8655E9E65C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.81\",\"matchCriteriaId\":\"6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.22\",\"matchCriteriaId\":\"C9DF8BCE-36D3-475D-9D21-19E4F02F9029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.12\",\"matchCriteriaId\":\"0A2B9540-02D5-41B4-B16A-82AF66FD4F36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.