Skip to main content

Linux Kernel CVE-2026-53226

| EUVDEUVD-2026-39317 MEDIUM
Memory Leak (CWE-401)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fw97-88cp-67m9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only vector (AV:L) requiring low-privilege account (PR:L); availability-only impact from kernel crash; no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 23:00 vuln.today
CVSS changed
Jul 02, 2026 - 20:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

gpio: rockchip: fix generic IRQ chip leak on remove

The driver allocates domain generic chips using irq_alloc_domain_generic_chips() during probe. However, on driver remove/teardown, the generic chips are not automatically freed when the IRQ domain is removed because the domain flags do not include IRQ_DOMAIN_FLAG_DESTROY_GC.

This causes both the domain generic chips structure and the associated generic chips to be leaked. Additionally, the generic chips remain on the global gc_list and may later be visited by generic IRQ chip suspend, resume, or shutdown callbacks after the GPIO bank has been removed, potentially resulting in a use-after-free and kernel crash.

Fix the resource leak by explicitly calling irq_domain_remove_generic_chips() before removing the IRQ domain in rockchip_gpio_remove().

AnalysisAI

Resource leak and use-after-free in the Linux kernel's gpio-rockchip driver can crash the kernel on systems using Rockchip GPIO hardware. The driver's remove path fails to call irq_domain_remove_generic_chips(), leaving allocated generic chip structures unreleased and dangling on the global gc_list. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local account on Rockchip device
Delivery
Trigger gpio-rockchip driver removal (unbind or modprobe -r)
Exploit
Generic chips freed but remain on global gc_list
Execution
IRQ subsystem invokes suspend/resume/shutdown callback
Persist
Callback dereferences freed chip memory
Impact
Kernel use-after-free panic (system crash)

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target system must be running on Rockchip SoC hardware with the gpio-rockchip driver loaded; (2) the attacker must have a local low-privilege account (PR:L per CVSS); (3) the gpio-rockchip driver must undergo removal or unbind after boot - this occurs during explicit module unload, sysfs driver unbind, or potentially during device hotplug events; (4) the kernel's IRQ suspend, resume, or shutdown callbacks must subsequently execute and traverse gc_list while the freed chips are still referenced. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scores 5.5 (Medium), accurately reflecting that exploitation requires local authenticated access and produces only availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard account privileges on a Rockchip SoC device (e.g., a shared embedded Linux system) triggers gpio-rockchip driver removal - via sysfs unbind, module unload, or power management - causing generic chip structures to remain on gc_list. When the kernel subsequently invokes IRQ suspend or resume callbacks (e.g., during system sleep or another device suspend cycle), it dereferences the freed chip memory, producing a use-after-free and kernel panic that crashes the system. …
Remediation Upgrade to a kernel version containing one of the three fix commits: bace7b99bfa555fe833aee8827b8004c43666d02 (stable branch), 1c1e0fc88d6ef65bf15d517853251f75ab9d18c3, or 1f34ea5f6114011092d9a5c8b901ad6741144a1d, all available at https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy