Skip to main content

Linux Kernel EUVDEUVD-2026-32329

| CVE-2026-45863 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vj4h-mg95-pj35
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local driver path requires a user session and i3c hardware (AV:L, PR:L); no confidentiality or integrity impact - only memory exhaustion from the unreleased allocation (A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:26 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

The dw_i3c_master_i2c_xfers() function allocates memory for the xfer structure using dw_i3c_master_alloc_xfer(). If pm_runtime_resume_and_get() fails, the function returns without freeing the allocated xfer, resulting in a memory leak.

Add a dw_i3c_master_free_xfer() call to the error path to ensure the allocated memory is properly freed.

Compile tested only. Issue found using a prototype static analysis tool and code review.

AnalysisAI

Memory leak in the Linux kernel's DesignWare i3c master driver (drivers/i3c/master/dw-i3c-master.c) allows a local low-privileged user on systems equipped with DesignWare i3c hardware to cause gradual kernel memory exhaustion by repeatedly triggering the failure path in dw_i3c_master_i2c_xfers(), where dw_i3c_master_alloc_xfer() allocates a transfer structure that is never freed when pm_runtime_resume_and_get() returns an error. No public exploit identified at time of analysis; EPSS of 0.02% (5th percentile) and the static-analysis discovery method both confirm this is a low-immediacy, low-exploitation-probability issue. Vendor-released patches are available across multiple stable kernel branches.

Technical ContextAI

The DesignWare i3c master driver implements the I3C (Improved Inter-Integrated Circuit) bus protocol used in embedded and SoC environments for sensor and peripheral communication. The affected function dw_i3c_master_i2c_xfers() bridges legacy I2C transfers through the i3c master. It calls dw_i3c_master_alloc_xfer() to allocate a kernel heap object (struct dw_i3c_xfer) before invoking pm_runtime_resume_and_get() to ensure the power domain is active. If the power management resume fails - a realistic scenario on embedded platforms with aggressive power gating - the early return path omits the corresponding dw_i3c_master_free_xfer() call, leaving the allocated object unreachable. This is a textbook CWE-401 (Missing Release of Memory after Effective Lifetime): memory is allocated, an error path branches before deallocation, and the pointer is lost. The root cause is a missing free on one error path, not a use-after-free or heap corruption. The affected CPE covers all Linux kernel versions that include this driver: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched kernel release: Linux 6.12.75, 6.18.14, 6.19.4, or 7.0, which include the corrected dw_i3c_master_free_xfer() call on the pm_runtime error path. Patch commits are tracked at the kernel.org stable tree links in the references. For embedded or long-support platforms that cannot immediately upgrade, a compensating control is to ensure the DesignWare i3c controller's power management domain remains persistently active (i.e., disable runtime PM for the i3c bus node via the device tree or by setting power/control to on via sysfs), which prevents pm_runtime_resume_and_get() from ever failing and thus eliminates the error path that triggers the leak - note this trades increased idle power consumption for leak prevention. Restricting local user access to I2C/I3C device nodes (e.g., enforcing strict group permissions on /dev/i2c-* and /dev/i3c-*) limits which users can trigger the vulnerable code path but does not eliminate the bug.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32329 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy