CVE-2026-31740 (GCVE-0-2026-31740)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:14 – Updated: 2026-05-01 14:14
VLAI?
Title
counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
Summary
In the Linux kernel, the following vulnerability has been resolved:
counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
The counter driver can use HW channels 1 and 2, while the PWM driver can
use HW channels 0, 1, 2, 3, 4, 6, 7.
The dev member is assigned both by the counter driver and the PWM driver
for channels 1 and 2, to their own struct device instance, overwriting
the previous value.
The sub-drivers race to assign their own struct device pointer to the
same struct rz_mtu3_channel's dev member.
The dev member of struct rz_mtu3_channel is used by the counter
sub-driver for runtime PM.
Depending on the probe order of the counter and PWM sub-drivers, the
dev member may point to the wrong struct device instance, causing the
counter sub-driver to do runtime PM actions on the wrong device.
To fix this, use the parent pointer of the counter, which is assigned
during probe to the correct struct device, not the struct device pointer
inside the shared struct rz_mtu3_channel.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 28a371be901ef44ee03726c2575d7d6795521fe0
(git)
Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 633dfbf0eb2766c597c1a59dd83035c82e14791d (git) Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 6562290225c197e2e193a53de2a517815288dcd1 (git) Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 63be324c795262f0e316c6fe9b329d83afa1ec93 (git) Affected: 0be8907359df4c62319f5cb2c6981ff0d9ebf35a , < 2932095c114b98cbb40ccf34fc00d613cb17cead (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/counter/rz-mtu3-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "28a371be901ef44ee03726c2575d7d6795521fe0",
"status": "affected",
"version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
"versionType": "git"
},
{
"lessThan": "633dfbf0eb2766c597c1a59dd83035c82e14791d",
"status": "affected",
"version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
"versionType": "git"
},
{
"lessThan": "6562290225c197e2e193a53de2a517815288dcd1",
"status": "affected",
"version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
"versionType": "git"
},
{
"lessThan": "63be324c795262f0e316c6fe9b329d83afa1ec93",
"status": "affected",
"version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
"versionType": "git"
},
{
"lessThan": "2932095c114b98cbb40ccf34fc00d613cb17cead",
"status": "affected",
"version": "0be8907359df4c62319f5cb2c6981ff0d9ebf35a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/counter/rz-mtu3-cnt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel\u0027s dev member\n\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\n\nThe dev member is assigned both by the counter driver and the PWM driver\nfor channels 1 and 2, to their own struct device instance, overwriting\nthe previous value.\n\nThe sub-drivers race to assign their own struct device pointer to the\nsame struct rz_mtu3_channel\u0027s dev member.\n\nThe dev member of struct rz_mtu3_channel is used by the counter\nsub-driver for runtime PM.\n\nDepending on the probe order of the counter and PWM sub-drivers, the\ndev member may point to the wrong struct device instance, causing the\ncounter sub-driver to do runtime PM actions on the wrong device.\n\nTo fix this, use the parent pointer of the counter, which is assigned\nduring probe to the correct struct device, not the struct device pointer\ninside the shared struct rz_mtu3_channel."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:14:36.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0"
},
{
"url": "https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d"
},
{
"url": "https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1"
},
{
"url": "https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93"
},
{
"url": "https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead"
}
],
"title": "counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel\u0027s dev member",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31740",
"datePublished": "2026-05-01T14:14:36.183Z",
"dateReserved": "2026-03-09T15:48:24.138Z",
"dateUpdated": "2026-05-01T14:14:36.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-31740",
"date": "2026-05-05",
"epss": "0.00018",
"percentile": "0.04829"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-31740\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:36.710\",\"lastModified\":\"2026-05-01T15:24:14.893\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncounter: rz-mtu3-cnt: do not use struct rz_mtu3_channel\u0027s dev member\\n\\nThe counter driver can use HW channels 1 and 2, while the PWM driver can\\nuse HW channels 0, 1, 2, 3, 4, 6, 7.\\n\\nThe dev member is assigned both by the counter driver and the PWM driver\\nfor channels 1 and 2, to their own struct device instance, overwriting\\nthe previous value.\\n\\nThe sub-drivers race to assign their own struct device pointer to the\\nsame struct rz_mtu3_channel\u0027s dev member.\\n\\nThe dev member of struct rz_mtu3_channel is used by the counter\\nsub-driver for runtime PM.\\n\\nDepending on the probe order of the counter and PWM sub-drivers, the\\ndev member may point to the wrong struct device instance, causing the\\ncounter sub-driver to do runtime PM actions on the wrong device.\\n\\nTo fix this, use the parent pointer of the counter, which is assigned\\nduring probe to the correct struct device, not the struct device pointer\\ninside the shared struct rz_mtu3_channel.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/28a371be901ef44ee03726c2575d7d6795521fe0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2932095c114b98cbb40ccf34fc00d613cb17cead\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/633dfbf0eb2766c597c1a59dd83035c82e14791d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/63be324c795262f0e316c6fe9b329d83afa1ec93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6562290225c197e2e193a53de2a517815288dcd1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…