Skip to main content

Linux Kernel CVE-2026-43014

| EUVDEUVD-2026-26613 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 20:37 vuln.today
CVSS changed
May 07, 2026 - 20:37 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26613
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: macb: properly unregister fixed rate clocks

The additional resources allocated with clk_register_fixed_rate() need to be released with clk_unregister_fixed_rate(), otherwise they are lost.

AnalysisAI

Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Technical ContextAI

The vulnerability exists in the macb Ethernet driver's clock registration and cleanup logic. The driver uses clk_register_fixed_rate() to allocate clock resources during device initialization, but the corresponding cleanup path fails to call clk_unregister_fixed_rate() when removing the device or handling error conditions. This violates proper resource lifecycle management in the Linux kernel clock framework. When the driver unloads or reloads multiple times without proper cleanup, each leaked fixed-rate clock allocation consumes kernel memory and occupies slots in the clock registry. The MACB controller (Cadence IP) is commonly found in ARM-based embedded systems and network interface cards. CWE classification not provided in source data, but this is consistent with CWE-401 (Missing Release of Memory after Effective Lifetime) or CWE-775 (Missing Release of File Descriptor or Handle after Effective Lifetime).

RemediationAI

Upgrade Linux kernel to patched versions: kernel 5.10.253 or later for 5.10.x users, 5.15.203 or later for 5.15.x users, 6.1.168 or later for 6.1.x, 6.6.134 or later for 6.6.x, 6.12.81 or later for 6.12.x, 6.18.22 or later for 6.18.x, 6.19.12 or later for 6.19.x, or 7.0 for latest releases. Patches are available in the Linux kernel stable trees via https://git.kernel.org/stable/. For systems unable to immediately upgrade, disable or avoid repeated loading and unloading of the MACB driver module (use rmmod -s to prevent reload cycles). Alternatively, restrict module load/unload capability to prevent privilege escalation vectors if unprivileged users have access. If the system uses MACB hardware (verify with ethtool -i eth0 or lspci | grep -i cadence), prioritize kernel upgrade. For embedded systems using MACB on ARM SoCs, coordinate with firmware/bootloader updates if applicable, as some platforms may bundle kernel patches.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy