Skip to main content

Linux Kernel GPIB EUVDEUVD-2026-26573

| CVE-2026-31760 MEDIUM
Memory Leak (CWE-401)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 20:30 vuln.today
CVSS changed
May 08, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26573
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

gpib: lpvo_usb: fix memory leak on disconnect

The driver iterates over the registered USB interfaces during GPIB attach and takes a reference to their USB devices until a match is found. These references are never released which leads to a memory leak when devices are disconnected.

Fix the leak by dropping the unnecessary references.

AnalysisAI

Memory leak in the Linux kernel's GPIB lpvo_usb driver allows local authenticated users to cause a denial of service through resource exhaustion by repeatedly connecting and disconnecting USB devices, as the driver fails to release USB device references during interface enumeration. The EPSS score of 0.02% indicates minimal real-world exploitation risk despite the moderate CVSS 5.5 severity, reflecting the combination of local-only access requirement, authentication need, and the niche nature of GPIB USB device usage.

Technical ContextAI

The vulnerability resides in the Linux kernel's GPIB (General Purpose Interface Bus) lpvo_usb driver subsystem. During GPIB device attachment, the driver iterates over registered USB interfaces to locate a matching device. The root cause (CWE-401: Missing Release of Memory after Effective Lifetime) occurs because the driver increments reference counts on USB device objects during this enumeration but fails to decrement them when the matching device is found or when enumeration concludes. This is a resource management defect in kernel USB device handling. The affected product is distributed across all CPE records for the Linux kernel, affecting both stable and development branches.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.22, 6.19.12, 7.0, or later stable releases, or to the latest upstream development kernel post-commit 21f942879f86108b300a23683e67483f8c358fc7. For systems unable to immediately patch, disable the GPIB lpvo_usb driver via kernel module blacklisting (add 'blacklist gpib_lpvo_usb' to /etc/modprobe.d/) or recompile the kernel without CONFIG_GPIB_LPVO_USB if GPIB hardware is not required. Alternative mitigation includes restricting unprivileged user access to GPIB devices via udev rules or filesystem permissions (modify /etc/udev/rules.d/ to limit device node access), though this may interfere with legitimate GPIB application workflows. Kernel upgrade is the preferred remediation to maintain full functionality while eliminating the leak. Verification can be done by checking the kernel version with 'uname -r' post-reboot and confirming it matches or exceeds the patched versions listed above.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy