CVE-2026-23101

EUVD-2026-5441

04.02.2026, 17:16

In the Linux kernel, the following vulnerability has been resolved:

leds: led-class: Only Add LED to leds_list when it is fully ready

Before this change the LED was added to leds_list before led_init_core()
gets called adding it the list before led_classdev.set_brightness_work gets
initialized.

This leaves a window where led_trigger_register() of a LED's default
trigger will call led_trigger_set() which calls led_set_brightness()
which in turn will end up queueing the *uninitialized*
led_classdev.set_brightness_work.

This race gets hit by the lenovo-thinkpad-t14s EC driver which registers
2 LEDs with a default trigger provided by snd_ctl_led.ko in quick
succession. The first led_classdev_register() causes an async modprobe of
snd_ctl_led to run and that async modprobe manages to exactly hit
the window where the second LED is on the leds_list without led_init_core()
being called for it, resulting in:

 ------------[ cut here ]------------
 WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390
 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025
 ...
 Call trace:
  __flush_work+0x344/0x390 (P)
  flush_work+0x2c/0x50
  led_trigger_set+0x1c8/0x340
  led_trigger_register+0x17c/0x1c0
  led_trigger_register_simple+0x84/0xe8
  snd_ctl_led_init+0x40/0xf88 [snd_ctl_led]
  do_one_initcall+0x5c/0x318
  do_init_module+0x9c/0x2b8
  load_module+0x7e0/0x998

Close the race window by moving the adding of the LED to leds_list to
after the led_init_core() call.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.7 ≤ 𝑥 < 5.10.249
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.199
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.162
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.122
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.68
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.8
linux	linux_kernel	6.19:rc1
linux	linux_kernel	6.19:rc2
linux	linux_kernel	6.19:rc3
linux	linux_kernel	6.19:rc4
linux	linux_kernel	6.19:rc5
linux	linux_kernel	6.19:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	6.1.164-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-1 fixed
forky	6.19.10-1 fixed
sid	6.19.11-1 fixed
trixie	6.12.73-1 fixed
trixie (security)	6.12.74-2 fixed

linux-6.1

bullseye (security)

6.1.164-1~deb11u1

fixed

Common Weakness Enumeration

CWE-908 - Use of Uninitialized Resource
The software uses or accesses a resource that has not been initialized.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux-Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.
Published: 2026-02-04T23:00:00+00:00

References

https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e

https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234

https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77

https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87

https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3

https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386

https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a