Skip to main content

Linux Kernel EUVDEUVD-2026-27604

| CVE-2026-43097 HIGH
Double Free (CWE-415)
2026-05-06 Linux
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 21:45 vuln.today
CVSS changed
May 14, 2026 - 19:37 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

PCI: hv: Fix double ida_free in hv_pci_probe error path

If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning:

ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0

Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver.

AnalysisAI

Double-free vulnerability in the Linux kernel PCI Hyper-V driver allows local authenticated users to trigger kernel memory corruption and potentially escalate privileges. The flaw occurs in hv_pci_probe() error handling where ida_free() is called twice on the same domain number, leading to memory allocator corruption. Patches released in kernel 6.19.14 and 7.0 fix the issue by removing the redundant ida_free call. EPSS score of 0.02% indicates low exploitation probability in the wild, and no public exploit or KEV listing identified at time of analysis.

Technical ContextAI

The vulnerability affects the Linux kernel PCI host bridge emulation subsystem, specifically the Microsoft Hyper-V paravirtualized PCI driver (drivers/pci/controller/pci-hyperv.c). The ID allocator (IDA) mechanism manages domain numbers for emulated PCI buses. When hv_pci_probe() fails after allocating a domain number and storing it in hbus->bridge->domain_nr, the error path explicitly calls pci_bus_release_emul_domain_nr() to free the ID. However, the subsequent cleanup via devm framework triggers pci_release_host_bridge_dev(), which independently frees the same domain number. This double-free violates IDA's internal state tracking, corrupting the allocator bitmap. CWE-415 (Double Free) indicates the root cause: memory management logic that releases the same resource twice without proper coordination between error paths and automatic cleanup handlers. This affects only Linux kernels with Hyper-V guest support enabled, running as virtual machines on Microsoft Azure or on-premises Hyper-V hosts.

RemediationAI

Upgrade to Linux kernel 6.19.14 or 7.0 or later, which contain upstream fixes removing the redundant ida_free call in the hv_pci_probe error path (commits 21bc8e0ba5c2 for stable, b6422dff0e51 for mainline). For enterprise distributions, apply vendor-provided security updates incorporating these commits: check with Red Hat, Ubuntu, SUSE, or Debian for backported patches to supported kernel branches. If immediate patching is not feasible, apply these compensating controls with noted trade-offs: (1) Disable PCI hot-plug in Hyper-V guest configuration to reduce probe failure scenarios, though this limits dynamic hardware management; (2) Monitor kernel logs for ida_free warnings and reboot affected VMs proactively, accepting potential service interruption to prevent allocator corruption accumulation; (3) Restrict local user access on Hyper-V Linux guests to trusted administrators only, reducing attack surface but not eliminating risk from compromised low-privilege accounts. None of these workarounds fully mitigate the vulnerability, so kernel upgrade remains the definitive remediation. Patch advisory URLs: https://git.kernel.org/stable/c/21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48 and https://git.kernel.org/stable/c/b6422dff0e518245019233432b6bccfc30b73e2f.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy