Skip to main content

Linux Kernel EUVDEUVD-2026-28601

| CVE-2026-43317 MEDIUM
Memory Leak (CWE-401)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-94jm-9m2w-wfhh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 21:00 vuln.today
CVSS changed
May 15, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

most: core: fix leak on early registration failure

A recent commit fixed a resource leak on early registration failures but for some reason left out the first error path which still leaks the resources associated with the interface.

Fix up also the first error path so that the interface is always released on errors.

AnalysisAI

Resource leak in Linux kernel MOST (Media Oriented Systems Transport) core driver allows local authenticated users to trigger denial of service through repeated interface registration failures. The vulnerability stems from incomplete error handling in the driver's registration path, where resources allocated for MOST interfaces are not properly released when early registration failures occur. While CVSS rates this 5.5 with local access and low attack complexity, the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood. Vendor patches are available across multiple kernel stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).

Technical ContextAI

The MOST (Media Oriented Systems Transport) subsystem is a networking technology used primarily in automotive infotainment systems for high-bandwidth multimedia data transfer. This vulnerability (CWE-401: Missing Release of Memory or Resources After Effective Lifetime) affects the core driver's interface registration error handling path. A previous commit addressed resource leaks on some registration failure paths but incompletely fixed the issue, leaving the first error path unpatched. When interface registration fails early in the process, allocated kernel memory and interface resources remain unreleased, creating a resource exhaustion condition. The affected code path is in drivers/most/core.c, specifically the interface registration function. The CPE data indicates impact across Linux kernel versions from 5.6 through 7.0 release candidates, with the introduction commit identified as 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c.

RemediationAI

Apply vendor-released kernel patches: upgrade to Linux kernel 6.12.75, 6.18.16, 6.19.6, or 7.0 stable release depending on your current kernel branch. For systems unable to immediately patch, implement the following compensating control with awareness of its operational impact: unload or blacklist the MOST driver module (most_core.ko) if MOST hardware is not in active use, achieved by adding 'blacklist most_core' to /etc/modprobe.d/blacklist.conf and regenerating initramfs - this prevents the vulnerable code path from being accessible but disables MOST functionality entirely. For automotive/embedded systems requiring MOST, restrict local user access and monitor for unusual patterns of driver loading/unloading or kernel resource consumption. No workaround exists for environments requiring both MOST functionality and unprivileged local user access. Advisory and patch details: https://nvd.nist.gov/vuln/detail/CVE-2026-43317 and kernel stable tree commits linked above.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy