Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local vector and low privileges required to trigger driver probe path; no confidentiality or integrity impact - resource leak causes availability loss only.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix nvkm_device leak on aperture removal failure
When aperture_remove_conflicting_pci_devices() fails during probe, the error path returns directly without unwinding the nvkm_device that was just allocated by nvkm_device_pci_new(). This leaks both the device wrapper and the pci_enable_device() reference taken inside it.
Jump to the existing fail_nvkm label so nvkm_device_del() runs and balances both. The leak was introduced when the intermediate nvkm_device_del() between detection and aperture removal was dropped in favor of creating the pci device once.
AnalysisAI
Memory leak in the Linux kernel's drm/nouveau subsystem exposes systems with NVIDIA GPUs using the open-source nouveau driver to local denial of service. When aperture_remove_conflicting_pci_devices() fails during PCI device probe, the error path bypasses the fail_nvkm cleanup label, permanently leaking both the nvkm_device wrapper and the pci_enable_device() reference taken inside nvkm_device_pci_new(). No public exploit exists and EPSS sits at the 5th percentile (0.02%), confirming negligible exploitation probability; however, patched stable releases are available across multiple kernel branches.
Technical ContextAI
The vulnerability resides in the Direct Rendering Manager (DRM) nouveau driver - the open-source Linux kernel driver for NVIDIA GPUs, backed by the NVIDIA Kernel Mode (nvkm) abstraction layer. During PCI device probe, nvkm_device_pci_new() allocates a device wrapper struct and internally calls pci_enable_device() to claim the PCI resource. A subsequent call to aperture_remove_conflicting_pci_devices() resolves framebuffer aperture conflicts with other drivers. When that call returns an error, the original code returned directly rather than jumping to the existing fail_nvkm label - which would have invoked nvkm_device_del() to release both the wrapper and the PCI reference. The root cause is CWE-401 (Missing Release of Memory after Effective Lifetime), introduced when an intermediate nvkm_device_del() between detection and aperture removal was removed in favor of a single PCI device creation path. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.
RemediationAI
The primary fix is to upgrade to a patched Linux kernel release: 6.12.86 (stable 6.12 branch), 6.18.27, 7.0.4, or 7.1-rc1 and later. The upstream stable patches are available at https://git.kernel.org/stable/c/5edd564ccb002ffc830e7818c1c4a992db774678 and the three companion backport commits. Ubuntu users should apply the kernel updates published in USN-8489-1 (https://ubuntu.com/security/notices/USN-8489-1) and USN-8488-1 (https://ubuntu.com/security/notices/USN-8488-1). As a compensating control on systems where immediate kernel upgrade is not feasible, blacklisting the nouveau kernel module via /etc/modprobe.d/blacklist-nouveau.conf and regenerating the initramfs eliminates the vulnerable code path entirely; the trade-off is loss of GPU hardware acceleration and display management through nouveau, which is acceptable on headless servers or systems using the proprietary NVIDIA driver instead.
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35433
GHSA-h586-h5c7-xhhh