CVE-2026-46021

If thermalzonedeviceregisterwith_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak.

In turn, thermalzonedeviceunregister() calls thermalset_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case.

Address these issues by adding two thermalsetgovernor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46021.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e33df1d2f3a0141cd79e770f31999ba0dd7ebfa8

Fixed

37a430a2d4e66ec8238da6c7f7e48809bf265e13

Fixed

f412e541d25a3dfaf3d53e012ade6ff03cae8a45

Fixed

75f8f3c3e09122270986de9d7aa347d701676761

Fixed

64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06

Fixed

41ff66baf81c6541f4f985dd7eac4494d03d9440

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46021.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

6.6.140

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.86

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.27

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

7.0.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46021.json"