Bug 2464501 (CVE-2026-31741) - CVE-2026-31741 kernel: counter: rz-mtu3-cnt: prevent counter from being toggled multiple times
Summary: CVE-2026-31741 kernel: counter: rz-mtu3-cnt: prevent counter from being toggl...
Keywords:
Status: NEW
Alias: CVE-2026-31741
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:10 UTC by OSIDB Bzimport
Modified: 2026-05-01 21:44 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:10:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

counter: rz-mtu3-cnt: prevent counter from being toggled multiple times

Runtime PM counter is incremented / decremented each time the sysfs
enable file is written to.

If user writes 0 to the sysfs enable file multiple times, runtime PM
usage count underflows, generating the following message.

rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!

At the same time, hardware registers end up being accessed with clocks
off in rz_mtu3_terminate_counter() to disable an already disabled
channel.

If user writes 1 to the sysfs enable file multiple times, runtime PM
usage count will be incremented each time, requiring the same number of
0 writes to get it back to 0.

If user writes 0 to the sysfs enable file while PWM is in progress, PWM
is stopped without counter being the owner of the underlying MTU3
channel.

Check against the cached count_is_enabled value and exit if the user
is trying to set the same enable value.
Comment 1 Keith Grant 2026-05-01 21:42:17 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050139-CVE-2026-31741-08c6@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.