Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local-only vector (AV:L) requiring low-privilege account (PR:L); availability-only impact from kernel crash; no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
gpio: rockchip: fix generic IRQ chip leak on remove
The driver allocates domain generic chips using irq_alloc_domain_generic_chips() during probe. However, on driver remove/teardown, the generic chips are not automatically freed when the IRQ domain is removed because the domain flags do not include IRQ_DOMAIN_FLAG_DESTROY_GC.
This causes both the domain generic chips structure and the associated generic chips to be leaked. Additionally, the generic chips remain on the global gc_list and may later be visited by generic IRQ chip suspend, resume, or shutdown callbacks after the GPIO bank has been removed, potentially resulting in a use-after-free and kernel crash.
Fix the resource leak by explicitly calling irq_domain_remove_generic_chips() before removing the IRQ domain in rockchip_gpio_remove().
AnalysisAI
Resource leak and use-after-free in the Linux kernel's gpio-rockchip driver can crash the kernel on systems using Rockchip GPIO hardware. The driver's remove path fails to call irq_domain_remove_generic_chips(), leaving allocated generic chip structures unreleased and dangling on the global gc_list. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target system must be running on Rockchip SoC hardware with the gpio-rockchip driver loaded; (2) the attacker must have a local low-privilege account (PR:L per CVSS); (3) the gpio-rockchip driver must undergo removal or unbind after boot - this occurs during explicit module unload, sysfs driver unbind, or potentially during device hotplug events; (4) the kernel's IRQ suspend, resume, or shutdown callbacks must subsequently execute and traverse gc_list while the freed chips are still referenced. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scores 5.5 (Medium), accurately reflecting that exploitation requires local authenticated access and produces only availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with standard account privileges on a Rockchip SoC device (e.g., a shared embedded Linux system) triggers gpio-rockchip driver removal - via sysfs unbind, module unload, or power management - causing generic chip structures to remain on gc_list. When the kernel subsequently invokes IRQ suspend or resume callbacks (e.g., during system sleep or another device suspend cycle), it dereferences the freed chip memory, producing a use-after-free and kernel panic that crashes the system. … |
| Remediation | Upgrade to a kernel version containing one of the three fix commits: bace7b99bfa555fe833aee8827b8004c43666d02 (stable branch), 1c1e0fc88d6ef65bf15d517853251f75ab9d18c3, or 1f34ea5f6114011092d9a5c8b901ad6741144a1d, all available at https://git.kernel.org/stable/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39317
GHSA-fw97-88cp-67m9