Skip to main content

Linux Kernel EUVDEUVD-2026-28681

| CVE-2026-43375 MEDIUM
Memory Leak (CWE-401)
2026-05-08 Linux GHSA-h43w-g7p8-4g9g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 15:23 vuln.today
CVSS changed
May 15, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: mctp: fix device leak on probe failure

Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect.

This driver takes a reference to the USB device during probe but does not to release it on probe failures.

Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks.

AnalysisAI

Linux kernel MCTP driver leaks USB device references when probe fails, allowing local authenticated attackers to trigger denial of service through resource exhaustion. The flaw affects kernels from 6.15 through 6.19.9 and has been patched in versions 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% indicates minimal active exploitation risk, and no public exploit code has been identified at time of analysis.

Technical ContextAI

The Management Component Transport Protocol (MCTP) network driver in the Linux kernel handles USB device lifecycle management during driver binding. The affected code violates proper reference counting semantics for USB interfaces: the driver core automatically holds references to USB interfaces and parent devices during the bound state, but this driver incorrectly takes an additional reference to the USB device during probe via usb_get_dev() or equivalent without a corresponding usb_put_dev() call in error paths. When probe fails (due to resource allocation failures, hardware issues, or configuration problems), the extra reference prevents the USB device structure from being freed, creating a memory leak classified as CWE-401 (Missing Release of Memory after Effective Lifetime). Over repeated plug/unplug cycles or probe retry attempts, this accumulates leaked device structures and associated resources.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.19 or later in the 6.18.x series, 6.19.9 or later in the 6.19.x series, or 7.0 and above. Patch commits are available from kernel.org stable git: 3224990fb16a831aabc50b67c74f5d0074ce80dd for 6.18 branch, ec9538f9b5cd1db5e8c612aa636b6119b6355c5d for 6.19 branch, and 224a0d284c3caf1951302d1744a714784febed71 for mainline. If immediate patching is not feasible, implement compensating controls: disable the mctp-usb kernel module via modprobe blacklist (add 'blacklist mctp' and 'blacklist mctp_usb' to /etc/modprobe.d/blocklist.conf), restricting USB device access to trusted administrators only through udev rules or physical controls, and monitoring kernel memory usage for abnormal growth patterns. Note that disabling MCTP functionality prevents legitimate use of MCTP-over-USB management interfaces on systems requiring this protocol for BMC or server management communication. Systems without MCTP USB hardware are unaffected but should still patch to eliminate the vulnerable code path.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy