Skip to main content

Linux Kernel EUVDEUVD-2026-32336

| CVE-2026-45870 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cc2x-2xg8-9rpf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only trigger requiring low-privilege NFS/Kerberos auth access; pure memory leak with no confidentiality or integrity impact, only availability via gradual exhaustion.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:14 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths

The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks.

The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation:

struct gssx_ctx rctxh = { .exported_context_token.len = GSSX_max_output_handle_sz, .mech.len = GSS_OID_MAX_LEN, .src_name.display_name.len = GSSX_max_princ_sz, .targ_name.display_name.len = GSSX_max_princ_sz };

If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed.

Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error.

AnalysisAI

Memory leaks in the Linux kernel's SUNRPC auth_gss subsystem allow a local low-privilege attacker to gradually exhaust kernel heap memory on systems using NFS with Kerberos (RPCSEC_GSS) authentication. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() XDR decoding functions fail to release previously allocated kernel buffers when a partial decode sequence errors out mid-function, leaving unreferenced kmemdup() allocations on the heap. No public exploit exists and EPSS is 0.02%, but no public exploit identified at time of analysis; repeated triggering of the vulnerable paths could degrade availability on RPCSEC_GSS-enabled servers.

Technical ContextAI

The flaw resides in the Linux kernel SUNRPC subsystem, specifically the GSS-API (Generic Security Services) authentication layer used by RPCSEC_GSS to secure NFS and other RPC traffic with Kerberos or similar mechanisms. The root cause is CWE-401 (Missing Release of Memory after Effective Lifetime): gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() each call gssx_dec_buffer(), which uses kmemdup() to allocate kernel heap memory for fields such as exported_context_token, mech OID, and principal display names (src_name, targ_name). When any subsequent field decode in the same call fails, the function returns the error immediately without freeing buffers successfully allocated for prior fields. The caller gssp_accept_sec_context_upcall pre-initializes struct gssx_ctx with non-zero length values for all four buffer fields, guaranteeing actual allocations occur before any potential failure point. The fix applies goto-based cleanup labels to free all previously allocated buffers on any error exit path. CPE cpe:2.3:o:linux:linux_kernel applies across all affected stable branches.

RemediationAI

Upgrade to a vendor-released patched kernel version: 5.10.252 or later for the 5.10.x stable branch, 5.15.202+ for 5.15.x, 6.1.165+ for 6.1.x, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.14+ for 6.18.x, 6.19.4+ for 6.19.x, or any 7.0+ release. Representative patch commit: https://git.kernel.org/stable/c/3b56eb90feb8a3709417f5624f3871847d42bcb1. If immediate kernel upgrade is not feasible, a compensating control is to disable NFS mounts using Kerberos (RPCSEC_GSS) or restrict gssproxy access, which prevents the vulnerable XDR decode paths from being exercised - trade-off is loss of Kerberos-secured NFS functionality. Restricting local shell access for untrusted users on NFS/Kerberos servers also reduces exposure. There is no known userspace-only mitigation that addresses the kernel memory leak itself.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Image SLES12-SP5-Azure-BYOS Affected
Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-On-Demand Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy