Skip to main content

Linux Kernel EUVDEUVD-2026-32248

| CVE-2026-45964 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7m86-h2jr-vw87
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects that triggering the kstrdup_const() failure requires engineering kernel memory pressure; all other metrics align with the confirmed local, low-privilege, availability-only impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:44 vuln.today
CVSS changed
Jun 16, 2026 - 02:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path

Commit 5940d1cf9f42 ("SUNRPC: Rebalance a kref in auth_gss.c") added a kref_get(&gss_auth->kref) call to balance the gss_put_auth() done in gss_release_msg(), but forgot to add a corresponding kref_put() on the error path when kstrdup_const() fails.

If service_name is non-NULL and kstrdup_const() fails, the function jumps to err_put_pipe_version which calls put_pipe_version() and kfree(gss_msg), but never releases the gss_auth reference. This leads to a kref leak where the gss_auth structure is never freed.

Add a forward declaration for gss_free_callback() and call kref_put() in the err_put_pipe_version error path to properly release the reference taken earlier.

AnalysisAI

Memory exhaustion in the Linux kernel's SUNRPC GSS authentication subsystem (net/sunrpc/auth_gss/auth_gss.c) allows a local low-privileged user to leak kernel memory by repeatedly triggering a specific error path where kstrdup_const() fails during gss_alloc_msg() processing, preventing gss_auth structures from ever being freed. The defect was introduced by commit 5940d1cf9f42, which added kref_get(&gss_auth->kref) without the corresponding kref_put() on the err_put_pipe_version error path when service_name is non-NULL. With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit, this is a low-urgency memory management defect primarily relevant to systems running NFS with Kerberos/RPCSEC_GSS authentication.

Technical ContextAI

The vulnerability is rooted in the Linux kernel's SUNRPC (Sun Remote Procedure Call) layer, which underpins NFS and related protocols. The affected component is the Generic Security Services (GSS) authentication module in auth_gss.c, which uses the kernel's kref reference-counting API to manage the lifetime of gss_auth structures. Commit 5940d1cf9f42 ('SUNRPC: Rebalance a kref in auth_gss.c') added a kref_get() call to balance a gss_put_auth() invoked inside gss_release_msg(), but omitted a corresponding kref_put() on the err_put_pipe_version error path. This path is reached when kstrdup_const() fails while duplicating a non-NULL service_name string, a condition triggered under kernel memory pressure. The error path calls put_pipe_version() and kfree(gss_msg) but leaves the gss_auth reference incremented, meaning the structure can never reach a reference count of zero and will never be freed. CWE-401 (Missing Release of Memory after Effective Lifetime) accurately captures this root cause. CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to a patched kernel version appropriate for the active stable branch: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, or 6.19.4 and later. Upstream fix commits are available at git.kernel.org: 3b2b6c42070ce (5.10 branch), 655c9ba9915f0 (5.15 branch), a1bc9561b617e (6.1 branch), a2d4e9a76de0b (6.6 branch), b559be2ec6cdb, c20f925214249, dd2fdc3504592, and e464e26b24570 (additional branches). Monitor distribution security channels for kernel errata incorporating these commits. As a compensating control for environments that do not use NFS with Kerberos authentication, the rpcsec_gss_krb5 kernel module can be blacklisted (add 'blacklist rpcsec_gss_krb5' to /etc/modprobe.d/) to prevent the vulnerable code path from being loaded; the trade-off is that Kerberos-authenticated NFS mounts will fail. No vendor advisory URL beyond git.kernel.org stable commits was provided in the reference data.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy