Skip to main content

Linux EUVDEUVD-2026-15258

| CVE-2026-23314 MEDIUM
2026-03-25 Linux GHSA-mv9g-rfx4-jpcr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15258
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio()

In bq257xx_reg_dt_parse_gpio(), if fails to get subchild, it returns without calling of_node_put(child), causing the device node reference leak.

AnalysisAI

A device node reference leak exists in the Linux kernel's bq257xx regulator driver within the bq257xx_reg_dt_parse_gpio() function. When the function fails to retrieve a subchild device node, it returns prematurely without properly releasing the reference via of_node_put(child), causing a memory leak. This affects all Linux kernel versions containing this vulnerable code path in the bq257xx regulator driver, and while not directly exploitable for code execution, the memory leak can be triggered repeatedly to degrade system stability and availability.

Technical ContextAI

The vulnerability exists in the Linux kernel's regulator subsystem, specifically the bq257xx battery charger driver (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). The bq257xx_reg_dt_parse_gpio() function parses device tree nodes to configure GPIO settings. The root cause is a resource management failure classified under improper error handling—when of_get_child_by_name() or similar device tree traversal functions succeed but subsequent operations fail, the code path returns without invoking of_node_put() to decrement the reference counter on the child node. Device tree node references in the Linux kernel use reference counting; failure to release them causes kernel memory leaks that accumulate over time.

RemediationAI

Update the Linux kernel to a version that includes the fix for CVE-2026-23314. The patch is available via the Linux kernel stable repositories at https://git.kernel.org/stable/ under the three commit hashes provided. Users should apply the latest stable kernel update for their distribution. For immediate mitigation on systems that cannot be patched immediately, restrict the use of the bq257xx driver by disabling it in the kernel configuration if the hardware is not required, or avoid triggering error conditions in device tree parsing by ensuring clean and valid device tree configurations. Long-term, ensure the system kernel is regularly updated to incorporate all upstream stability and security fixes.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy