Skip to main content

Linux Kernel EUVDEUVD-2026-28557

| CVE-2026-43287 MEDIUM
Memory Leak (CWE-401)
2026-05-08 Linux GHSA-g272-h9j2-8655
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 16:52 vuln.today
CVSS changed
May 15, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm: Account property blob allocations to memcg

DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory.

Currently, the blob data allocation is not accounted to the allocating process's memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM.

Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory is properly charged to the caller's memcg. This ensures existing cgroup memory limits apply and prevents uncontrolled kernel memory growth without introducing additional policy or per-file limits.

AnalysisAI

Local users with low privileges can trigger unbounded kernel memory consumption in the Linux kernel's DRM subsystem via DRM_IOCTL_MODE_CREATEPROPBLOB, bypassing memory cgroup accounting and causing system-wide denial of service. The vulnerability affects all Linux kernel versions from 2.6.12-rc2 (commit 1da177e4) through 6.19.x until patched in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS score is low (0.02%) and no active exploitation is documented; however, the attack requires only local access and low privileges (CVSS AV:L/AC:L/PR:L), making it easily exploitable by unprivileged users on multi-tenant systems.

Technical ContextAI

The vulnerability resides in the Direct Rendering Manager (DRM) subsystem's property blob allocation mechanism. DRM_IOCTL_MODE_CREATEPROPBLOB is a kernel ioctl that allows userspace to create arbitrary-sized property blobs (used for mode-setting configuration data like EDID, gamma tables, or HDR metadata) stored in kernel memory. The allocations used GFP_KERNEL without GFP_KERNEL_ACCOUNT, meaning they were not charged to the caller's memory cgroup (memcg). Linux's cgroup memory controller enforces per-process/container memory limits to prevent resource exhaustion. By omitting GFP_KERNEL_ACCOUNT, the kernel allowed unprivileged processes to allocate unlimited kernel memory outside their memcg quota, violating resource isolation. This is a CWE-401 (Missing Release of Memory after Effective Lifetime) variant where memory is allocated but not properly accounted, enabling resource exhaustion. The fix adds GFP_KERNEL_ACCOUNT to drm_property_create_blob() allocations, ensuring memory is charged to the calling process's memcg and subject to existing cgroup limits.

RemediationAI

Update the Linux kernel to a patched version: 5.10.252+, 5.15.202+, 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, or mainline 7.0+. Patches are available from kernel.org stable branches and distribution vendors. If immediate patching is not feasible, implement compensating controls: (1) Restrict access to /dev/dri/card* and /dev/dri/renderD* devices using udev rules or container securityContext to limit which users/containers can invoke DRM ioctls-this prevents unprivileged users from triggering the vulnerability but breaks GPU acceleration for restricted processes; (2) Configure strict memory cgroup limits (memory.max in cgroup v2 or memory.limit_in_bytes in cgroup v1) for untrusted workloads to contain kernel memory exhaustion impact, though this does not prevent the unaccounted allocations and may still allow localized DoS; (3) Monitor kernel memory usage (slabtop, /proc/slabinfo for drm_property_blob) and alert on anomalous growth. Trade-offs: DRM access restriction breaks legitimate GPU workloads; cgroup limits mitigate blast radius but do not fix the root cause; monitoring provides detection but no prevention. Full remediation requires kernel upgrade. Refer to git.kernel.org commits listed in affected_products for detailed patch content.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy