Skip to main content

Linux Kernel CVE-2026-45981

| EUVDEUVD-2026-32265 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w3x6-6f6f-54f3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AV:L (local, s390-only) and PR:L confirmed by description; AC:H because triggering DMA mask failure depends on hardware-level conditions not directly controlled by a low-privilege user.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:58 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

css_alloc_subchannel() calls device_initialize() before setting up the DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel structure directly, bypassing the device model reference counting.

Once device_initialize() has been called, the embedded struct device must be released via put_device(), allowing the release callback to free the container structure.

Fix the error path by dropping the initial device reference with put_device() instead of calling kfree() directly.

This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues.

AnalysisAI

Use-after-free and double-free conditions in the Linux kernel's s390/cio Channel I/O subsystem expose IBM Z (mainframe) systems to local denial-of-service attacks via kernel crash. The flaw resides in css_alloc_subchannel(), where device_initialize() is invoked before DMA mask configuration; if that configuration fails, the error path incorrectly calls kfree() directly, bypassing the kernel device model's reference counting and corrupting kernel memory. With a CVSS score of 5.5 (AV:L), an EPSS of 0.02% (7th percentile), no KEV listing, and strict hardware-architecture scope limited to s390/IBM Z, this is no public exploit identified at time of analysis and represents a low-urgency but architecturally significant stability fix.

Technical ContextAI

The affected code resides in drivers/s390/cio/css.c, specifically the css_alloc_subchannel() function within the IBM Z Channel Subsystem (CSS) driver, which manages I/O channel paths on s390/IBM Z mainframe hardware. The Linux device model requires that once device_initialize() is called on an embedded struct device, the containing structure must be released via put_device() to trigger the registered release callback that safely frees the container. The flawed error path instead calls kfree() directly on the subchannel structure after DMA mask setup (dma_set_coherent_mask() or dma_set_mask()) returns an error, which orphans the still-live reference count and risks use-after-free (if a concurrent reference exists) or double-free (if the release callback is later invoked). CWE-401 (Missing Release of Memory before Removing Last Reference) classifies this root cause: the reference lifetime is violated because the subsystem assumes exclusive ownership of the object after device_initialize(), which is incorrect. CPE data confirms the affected product as cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, spanning multiple stable branches from the introducing commit e5dcf0025d7af58f525590ac86ac27cb44714e8d onward.

RemediationAI

Upgrade to a patched Linux kernel stable release: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0, selecting the branch matching your current deployment. Upstream fix commits are published at https://git.kernel.org/stable/c/ for each respective branch. Distributions running s390/IBM Z kernels (e.g., RHEL on IBM Z, SLES on IBM Z, Ubuntu on Z) should apply vendor-backported packages when available, as the upstream fix is straightforward (replace kfree() with put_device() in the error path). As a compensating control for systems that cannot be immediately updated, restricting untrusted local users from triggering channel subsystem operations (via access controls on s390-specific device nodes under /dev/ and tightening kernel module loading with kernel.modules_disabled=1 if applicable) reduces but does not eliminate exposure. Note that this is an architecture-specific fix; only s390/IBM Z deployments require action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy