Skip to main content

Linux Kernel EUVDEUVD-2026-27759

| CVE-2026-43196 HIGH
Double Free (CWE-415)
2026-05-06 Linux GHSA-8h7q-934r-3xxv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 20:23 vuln.today
CVSS changed
May 11, 2026 - 20:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

soc: ti: pruss: Fix double free in pruss_clk_mux_setup()

In the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np) on the error path. However, after the devm_add_action_or_reset() returns, the of_node_put(clk_mux_np) is called again, causing a double free.

Fix by returning directly, to avoid the duplicate of_node_put().

AnalysisAI

Double-free memory corruption in Linux kernel PRUSS (Programmable Real-Time Unit Subsystem) driver allows local authenticated attackers with low privileges to achieve high-impact code execution, information disclosure, or denial of service. The vulnerability exists in pruss_clk_mux_setup() where devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider() on error path, then erroneously calls of_node_put(clk_mux_np) again afterward. Vendor patches available across stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating; no KEV listing or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's TI PRUSS clock multiplexer setup code in drivers/soc/ti/pruss.c. PRUSS (Programmable Real-Time Unit Subsystem and Industrial Communication Subsystem) is Texas Instruments' industrial automation hardware supported in kernels used for embedded and industrial control systems. The root cause is CWE-415 (Double Free), a classic memory safety issue where the same memory reference (of_node_put on clk_mux_np device tree node) is released twice. The first release occurs inside the error-handling callback registered via devm_add_action_or_reset(), which invokes pruss_of_free_clk_provider(). The second occurs in the fallthrough code path after devm_add_action_or_reset() returns. Double-free conditions can corrupt kernel heap metadata, potentially enabling exploitation beyond simple crashes. CPE data identifies broad kernel version ranges affected, with the introducing commit ba59c9b43c86b2c2396acac94e41d946cbaec9fe and multiple stable branch fixes spanning kernel 5.10 through 7.0.

RemediationAI

Upgrade to patched kernel versions: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 and later depending on your stable branch, with commits available at https://git.kernel.org/stable/. For systems unable to immediately patch, disable PRUSS driver functionality via kernel command line parameter (pruss.blacklist=1 or by not loading the ti_pruss module) if PRUSS hardware acceleration is not operationally required - this eliminates the vulnerable code path entirely but loses real-time industrial communication capabilities, making it viable only for non-industrial workloads on affected SoCs. Alternatively, restrict local user accounts and enforce least-privilege access controls to minimize the pool of authenticated users who could trigger the vulnerable driver code, though this only reduces attack surface rather than eliminating the vulnerability. Review /var/log/kern.log for PRUSS driver initialization errors or kernel oops messages indicating potential exploitation attempts or natural triggering of the bug during hardware initialization.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy