Skip to main content

Linux Kernel CVE-2026-45922

| EUVDEUVD-2026-32388 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2gpx-gjmm-6pff
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access to mlx5 uverbs required (AV:L, PR:L); memory leak causes availability impact only, with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:31 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler

The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function allocates memory for the device path using kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC but does not free the allocated memory, resulting in a memory leak.

Add a kfree() call to the error path to ensure the allocated memory is properly freed.

Compile tested only. Issue found using a prototype static analysis tool and code review.

AnalysisAI

Memory leak in the Linux kernel's RDMA/mlx5 subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering the error path in the GET_DATA_DIRECT_SYSFS_PATH uverbs handler. The flaw affects multiple stable kernel branches requiring mlx5-family InfiniBand/RDMA hardware, and was discovered through static analysis and code review rather than active exploitation. No public exploit exists and EPSS probability is 0.02% (5th percentile), indicating no public exploit or active exploitation at time of analysis.

Technical ContextAI

The vulnerability resides in the UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function within the RDMA/mlx5 kernel driver (mlx5_ib). The function calls kobject_get_path() to dynamically allocate a buffer containing the sysfs device path. When the path length exceeds the caller-supplied output buffer, the function correctly returns -ENOSPC, but incorrectly omits the corresponding kfree() call to release the allocated buffer, violating the resource lifecycle contract (CWE-401: Missing Release of Memory after Effective Lifetime). This is a classic error-path memory leak, corrected by adding kfree() before returning the error code. The fix was backported across multiple stable branches as documented by four separate git.kernel.org commits. Affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across the relevant stable trees.

RemediationAI

Apply the vendor-released patch by upgrading to Linux 6.12.75, 6.18.14, 6.19.4, or 7.0 as appropriate to the deployed stable branch; the respective fix commits are referenced at git.kernel.org above. Distributions shipping affected kernel versions (e.g., RHEL, Ubuntu, SUSE) should apply stable kernel updates from their vendors once backported packages are available. As a compensating control on systems that do not require RDMA functionality, unloading or blacklisting the mlx5_ib kernel module (modprobe -r mlx5_ib or adding blacklist mlx5_ib to modprobe configuration) eliminates the attack surface with no side effects on non-RDMA workloads. On systems that do require RDMA, restrict access to /dev/infiniband/uverbsN devices to only trusted users via udev rules or group membership, reducing the pool of users who can trigger the vulnerable handler.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45922 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy