Skip to main content

Linux Kernel CVE-2026-45868

| EUVDEUVD-2026-32334 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-m8c9-pvw4-86cp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only refcount leak in a driver probe path; PR:L to trigger sysfs operations; no confidentiality or integrity impact possible from resource exhaustion alone.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:12 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: single: fix refcount leak in pcs_add_gpio_func()

of_parse_phandle_with_args() returns a device_node pointer with refcount incremented in gpiospec.np. The loop iterates through all phandles but never releases the reference, causing a refcount leak on each iteration.

Add of_node_put() calls to release the reference after extracting the needed arguments and on the error path when devm_kzalloc() fails.

This bug was detected by our static analysis tool and verified by my code review.

AnalysisAI

Reference count leak in the Linux kernel's pinctrl-single driver (pcs_add_gpio_func()) allows a local low-privileged user to cause kernel memory exhaustion and denial of service on affected embedded/SoC platforms. The of_parse_phandle_with_args() Device Tree API increments a refcount on the returned device_node pointer, but the iterating loop never calls of_node_put() to release it - accumulating leaked references on every GPIO phandle processed. No public exploit exists and EPSS is 0.02%, placing this firmly in the low-urgency patch category; exploitation requires specific hardware and driver configuration not present on typical x86 servers.

Technical ContextAI

The defect lives in drivers/pinctrl/pinctrl-single.c, the Linux kernel's generic Device Tree-driven pin control driver. The function pcs_add_gpio_func() calls of_parse_phandle_with_args() - an Open Firmware Device Tree API - to iterate over GPIO phandle arguments embedded in platform device tree nodes. Linux's device node lifecycle mandates that every successful call to of_parse_phandle_with_args() must be balanced by a corresponding of_node_put() to decrement the kref on the returned gpiospec.np pointer. The bug is the complete absence of of_node_put() in both the happy path (after arguments are extracted) and the error path (when devm_kzalloc() fails). Each loop iteration permanently inflates the reference count, constituting a CWE-401/CWE-772 class resource leak. The CPE cpe:2.3:o:linux:linux_kernel:* covers all affected versions from the introducing commit (a1a277eb76b3) across seven stable branches. This driver is used exclusively on embedded/SoC platforms (ARM, MIPS, RISC-V) that describe pin multiplexing in Device Tree; it is not loaded on x86 server hardware.

RemediationAI

Apply the appropriate patched kernel version for your stable branch: 5.10.252+, 5.15.202+, 6.1.165+, 6.6.128+, 6.12.75+, 6.18.14+, 6.19.4+, or 7.0+. Fix commits are available at https://git.kernel.org/stable/c/e2e367e56bacb93ce5ac73f0b3297d5c83d38dd4 (and sibling commits for each branch listed in the references). For systems that cannot be immediately patched, assess whether CONFIG_PINCTRL_SINGLE is compiled into the running kernel (grep CONFIG_PINCTRL_SINGLE /boot/config-$(uname -r)); systems without this driver compiled in are not exposed. If pinctrl-single is a loadable module rather than built-in, preventing module load via a modprobe blacklist (blacklist pinctrl-single in /etc/modprobe.d/) is an effective but potentially disruptive workaround - disabling it will prevent GPIO pinmux from functioning on Device Tree platforms, which can break peripheral functionality. On x86/x86-64 systems where this driver is not applicable, no action is required beyond standard kernel update cadence.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy