The National Vulnerability Database published CVE-2026-46075 on May 27, 2026, flagging a critical race condition in the Linux kernel’s driver for the Atmel SHA204A cryptographic chip. The bug, which lurked in the hardware random number generator (RNG) teardown path, could let a local attacker trigger a use-after-free (UAF) and memory leak during device removal. While the flaw resides in Linux, its mechanics are a potent reminder for Windows driver developers: asynchronous I/O and device hot-unplug are universal powder kegs.

A Kernel Race Condition Exposes Hardware RNG

The Atmel SHA204A is a widely deployed crypto-authentication chip that provides secure key storage, symmetric authentication, and a FIPS-compliant hardware RNG. It connects via I²C or single-wire interfaces and pops up in everything from IoT sensors and industrial controllers to some laptop trusted platform modules. In Linux, the atmel-sha204a driver manages communication with the chip, registering a hardware RNG source with the kernel’s hwrng framework.

When user space reads from /dev/hwrng, the kernel can use the chip’s physical noise source to generate entropy. But the driver’s cleanup routine for device removal—triggered by a physical unplug, a virtual hot-unplug, or a module unload—did not properly synchronize pending reads. As a result, a read operation already in flight could continue asynchronously even after the driver freed the underlying device context and DMA buffers. This race condition created a classic use-after-free scenario and leaked memory that accumulated across each removal cycle.

The Anatomy of the Bug: Use-After-Free and Memory Leaks

Race conditions in kernel teardown follow a familiar pattern. A worker thread or callback holds a pointer to a device structure. Meanwhile, the remove handler runs, frees that structure, and returns. If the worker hasn’t been reliably cancelled, it eventually touches the freed memory—triggering a UAF. In CVE-2026-46075, the race involved the hwrng read callback and the driver’s remove function.

When a process reads from the hardware RNG, the kernel invokes the driver’s read function. That function often waits for a hardware interrupt or a DMA completion. If the device is yanked before the operation finishes, the interrupt might never arrive, leaving the read worker in a waiting state. A naive remove function that simply calls kfree() on the device structure without first cancelling the pending work is a ticking bomb. The race window is narrow but reproducible, especially on systems where devices are frequently connected and disconnected.

The memory leak added insult to injury. Each removal leaked several kilobytes of DMA-consistent memory, which could degrade performance or, in embedded systems with tight memory budgets, lead to an eventual denial of service. Attackers with physical access or the ability to trigger USB/I²C device removals (e.g., via a malicious USB hub) could exploit the UAF to escalate privileges or crash the kernel. While no public exploit code surfaced with the disclosure, the vulnerability’s characteristics make it a prime target for fuzzing-based attacks.

The Patch: How the Kernel Team Fixed CVE-2026-46075

The fix, committed to the Linux kernel mainline by a maintainer in the hw_random subsystem, introduced three changes:

  • Pending read cancellation: The remove function now calls hwrng_unregister() synchronously, which cancels any in-flight reads before freeing resources. This ensures no callbacks can reference stale pointers.
  • Explicit synchronization: A completion structure was added to wait for any read-in-progress to finish, closing the race window.
  • Leak cleanup: DMA buffers and the device context are now freed only after all workers have been quiesced, preventing both UAF and memory leaks.

The patch landed in kernel versions 6.1.92, 6.6.32, and 6.9.3, and was backported to stable trees. Systems integrators and distros that ship the atmel-sha204a driver should prioritize the update, especially for platforms that expose the I²C bus to untrusted USB-to-I²C adapters or hot-pluggable modules.

Implications for Windows Users and Developers

Windows enthusiasts might wonder why a Linux kernel CVE matters to them. The answer is twofold: shared hardware and timeless driver lessons.

First, the Atmel chip (now part of Microchip Technology) is platform-agnostic. It’s used on Windows IoT Core devices, embedded industrial PCs, and even some developer boards running Windows 10/11 for ARM. If a Windows driver for the SHA204A—whether from Microchip or a third-party—makes a similar teardown mistake, the same race could exist. Microsoft’s Driver Frameworks (KMDF and UMDF) provide built-in synchronization for I/O cancellation, but a driver written for the legacy Windows Driver Model (WDM) or one that bypasses framework callbacks can still stumble into UAF bugs.

Second, the kernel-mode race condition is a canonical case study for Windows driver developers. The Windows kernel’s I/O manager uses Cancel Routines to safely abort pending IRPs during device removal. But if a driver uses a custom worker thread (e.g., a system thread handling an uninterruptible I/O) and fails to synchronize it with the EvtDeviceD0ExitPreHardwareDisable or EvtDeviceReleaseHardware callback, the same dangling pointer risk arises.

Security researchers have demonstrated analogous flaws in Windows drivers for fingerprint sensors, graphics cards, and network adapters. Tools like Driver Verifier with I/O Verification and Deadlock Detection can catch many of these bugs before they ship. The Windows Hardware Lab Kit (HLK) now includes tests that stress surprise removal scenarios, but manually coded races often slip through.

Staying Secure: Patching and Best Practices

For Linux users, the immediate action is to update to a kernel containing the fix. Embedded developers should rebuild their kernels or apply the backported patch. For Windows shops using hardware that includes the SHA204A, review any custom driver for proper device removal handling:

  • Use framework device interfaces (WdfDeviceSetPnpPowerCallbacks) and avoid manual IRP dispatch for plug-and-play operations.
  • Ensure that any work items or threads are flushed and terminated in the EvtDeviceD0Exit or EvtDeviceReleaseHardware callbacks before resources are freed.
  • Test with the Driver Verifier Flag “Concurrent Stress” enabled to simulate high-frequency device removal and re-enumeration.
  • Run static analysis with CodeQL or Semmle rules tuned for Windows driver UAF patterns.

Microsoft has also improved driver isolation: user-mode drivers (UMDF v2) fork less risk because user-mode crashes don’t directly corrupt kernel memory. Where feasible, porting kernel-mode drivers to UMDF not only improves system stability but also constrains exploit potential.

Broader Security Landscape

CVE-2026-46075 is not an isolated incident. The Linux kernel saw a spike in hardware RNG driver CVEs in 2025–2026 as fuzzers like syzkaller gained better coverage of the hw_random subsystem. Windows has historically been less affected because fewer Windows systems expose raw hardware RNG interfaces to user space. However, as Windows Subsystem for Linux (WSL) and Azure Sphere blur the lines, hardware RNG vulnerabilities can cross OS boundaries. A compromised Linux VM with passthrough access to a physical RNG could potentially attack the host if the hypervisor doesn’t properly mediate the I²C transactions.

Both ecosystems are moving toward stronger driver attestation and sandboxing. The Linux Kernel Self Protection Project (KSPP) advocates for panic-on-UAF and heap quarantine technologies. Windows embraces virtualization-based security (VBS) to isolate critical drivers in VTL1. These architectural defenses raise the bar, but they don’t replace careful teardown coding.

Conclusion

The bug in the atmel-sha204a driver is a textbook case of why device removal is one of the hardest paths to get right in kernel programming—on any OS. The fix demonstrates that explicit synchronization and framework-managed cancellation are non-negotiable. For Windows developers, the vulnerability underscores the value of driver verifiers and the need to treat every hot-unplug as a potential threat. As hardware RNGs become more pervasive in secure enclaves and edge devices, the cost of getting teardown wrong will only grow.