Skip to main content

Linux Kernel CVE-2026-45997

| EUVDEUVD-2026-32293 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9h33-65cj-82pc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack vector and low-privilege requirement reflect that triggering sd_probe() failure paths requires authenticated local access; sole impact is availability via kernel resource exhaustion.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:56 vuln.today
CVSS changed
Jun 16, 2026 - 13:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails

If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.

AnalysisAI

Reference count leak in the Linux kernel SCSI disk driver (drivers/scsi/sd.c) allows a local low-privileged user to cause kernel resource exhaustion and system crash. In sd_probe(), when device_add(&sdkp->disk_dev) fails, the cleanup path correctly invokes put_device() triggering scsi_disk_release() to free the scsi_disk structure, but omits the corresponding put_disk(gd) call - leaving the gendisk object with an unreleased reference. This asymmetry with the device_add_disk() error path means repeated probe failures accumulate reference leaks that can exhaust kernel memory and deny service. No public exploit has been identified and EPSS probability is 0.02% (5th percentile), consistent with a stability fix rather than an attacker-targeted flaw.

Technical ContextAI

The Linux kernel SCSI disk driver (sd.c) uses a two-layer device model: a scsi_disk structure wraps a gendisk (struct gendisk), which is the kernel's generic disk abstraction. Both are reference-counted via put_device()/scsi_disk_release() and put_disk() respectively. During sd_probe(), the driver allocates a scsi_disk, initialises a gendisk, then calls device_add(&sdkp->disk_dev) to register the device in sysfs. If device_add() fails, put_device() on the disk_dev triggers scsi_disk_release(), freeing the scsi_disk - but the gendisk's reference count is not decremented because put_disk(gd) is never called on this error path. The parallel error path inside device_add_disk() does call put_disk(), but that path is not reached when device_add() itself fails before it. The CPE data (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) confirms the affected component is the Linux kernel across all versions prior to the stable-branch fixes. Although no CWE is formally assigned, this is a classic CWE-772 (Missing Release of Resource after Effective Lifetime) / CWE-401 (Missing Release of Memory after Effective Lifetime) pattern applied to a kernel reference count.

RemediationAI

Upgrade to a patched Linux kernel stable release: 6.6.140, 6.12.86, 6.18.27, or 7.0.4 (or later). The upstream fixes are available as stable commits at git.kernel.org - specifically commits 13e550fbfccdb311e76ec96892dfe35f0dba0657, 1e111c4b3a726df1254670a5cc4868cedb946d37, 262152ec37101f9dc524743ccdbd6c7641d14573, a95d38c5701431bfc826e7b18acc0785919d5c88, b64b4f499801b12d0e2785447e4df6c164c608a9, and 2c2c14b7dfccad8c5a28802849e40c21252e4c28. Distribution maintainers should apply the appropriate backport. As a compensating control where kernel upgrades are not immediately feasible, restricting unprivileged user access to SCSI hotplug events (e.g., via udev rules that limit /dev/sd* ownership, or disabling USB storage via 'install usb-storage /bin/false' in modprobe configuration) reduces the attack surface; however, this does not eliminate the bug and may impact legitimate storage functionality. Kernel live-patching (kpatch, livepatch) may be viable for production systems where reboots are disruptive.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-45997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy