Skip to main content

Linux Kernel CVE-2026-45883

| EUVDEUVD-2026-32349 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mjh6-2qq4-fp8m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
2.5 LOW

Error path requires iio_device_register() failure (AC:H); cumulative IRQ leak has limited, not immediate availability impact (A:L), not system-wide crash.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:29 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

iio: sca3000: Fix a resource leak in sca3000_probe()

spi->irq from request_threaded_irq() not released when iio_device_register() fails. Add an return value check and jump to a common error handler when iio_device_register() fails.

AnalysisAI

Resource leak in the Linux kernel's sca3000 IIO accelerometer driver (sca3000_probe()) allows a local low-privileged user on affected hardware to cause IRQ resource exhaustion by repeatedly triggering the error path where iio_device_register() fails without releasing the IRQ registered via request_threaded_irq(). Affected are Linux kernel versions from approximately 4.10 through multiple stable branches, all of which now have upstream fix commits. No public exploit exists and EPSS stands at 0.02% (7th percentile), indicating this is a robustness/maintenance fix rather than an actively targeted vulnerability.

Technical ContextAI

The SCA3000 is a three-axis SPI-connected industrial accelerometer managed by the Linux IIO (Industrial I/O) subsystem driver at drivers/iio/accel/sca3000.c. During device probe, request_threaded_irq() registers an interrupt handler using the IRQ number from spi->irq. CWE-401 (Missing Release of Memory after Effective Lifetime) applies: the original error-handling path omitted a call to free_irq() when iio_device_register() returned a failure code, leaving the IRQ descriptor allocated and its line potentially unusable by other drivers. The fix adds a return-value check on iio_device_register() and introduces a goto to a unified error handler that calls free_irq() before returning. CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. The introduced commit identified in EUVD is 9a4936dc89a34e002946a6c08b330918ec6afab8, tracing the flaw back to approximately Linux 4.10.

RemediationAI

Upgrade to a patched Linux kernel release for the applicable stable branch: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0. Upstream fix commits are available at https://git.kernel.org/stable/c/103ac8e3a7f345a0966ef582b8a874ac31a92c7c and the branch-specific commits listed in the references. For systems that do not use SCA3000 accelerometer hardware, blacklisting the sca3000 kernel module serves as an effective zero-impact workaround: add 'blacklist sca3000' to /etc/modprobe.d/blacklist.conf and run 'dracut -f' (RHEL/Fedora) or 'update-initramfs -u' (Debian/Ubuntu). This has no functional side effects on hardware that does not include an SCA3000 device. Given non-KEV status and minimal EPSS, standard patching cycles are appropriate.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy