Skip to main content

Linux Kernel EUVDEUVD-2026-32346

| CVE-2026-45880 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mvr8-9v2m-pg6f
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to invoke P2PDMA mmap; purely availability impact from indefinite kernel hang on device removal; no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:28 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails

When vm_insert_page() fails in p2pmem_alloc_mmap(), p2pmem_alloc_mmap() doesn't invoke percpu_ref_put() to free the per-CPU ref of pgmap acquired after gen_pool_alloc_owner(), and memunmap_pages() will hang forever when trying to remove the PCI device.

Fix it by adding the missed percpu_ref_put().

AnalysisAI

PCI/P2PDMA subsystem in the Linux kernel hangs indefinitely on PCI device removal due to a missing percpu_ref_put() call on the error exit path of p2pmem_alloc_mmap(). Low-privileged local users on systems with P2PDMA-capable PCI hardware can trigger a vm_insert_page() failure that leaks a per-CPU pgmap reference, causing memunmap_pages() to stall forever when the PCI device is later removed. No public exploit has been identified and EPSS is at the 5th percentile; this is not in CISA KEV.

Technical ContextAI

The vulnerability resides in the Linux kernel's PCI Peer-to-Peer DMA (P2PDMA) subsystem, within the p2pmem_alloc_mmap() function in drivers/pci/p2pdma.c. P2PDMA enables direct memory transfers between PCI devices without CPU involvement, using a gen_pool allocator and pgmap (page map) structures managed with per-CPU reference counting (percpu_ref). When gen_pool_alloc_owner() succeeds it increments the pgmap per-CPU ref. If the subsequent vm_insert_page() call fails - for example due to virtual address space exhaustion - the function returns the error without calling percpu_ref_put() to release the previously acquired ref. This off-by-one reference leak prevents the count from ever reaching zero, so memunmap_pages(), invoked during PCI device removal or hotplug, spins indefinitely waiting for the ref to drop. The root cause is a missing cleanup step on an error path, analogous to CWE-772 (Missing Release of Resource after Effective Lifetime). The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers all Linux kernel versions within the affected commit range. Note: the input tag 'Information Disclosure' conflicts with the CVSS vector (C:N) and the description - no confidentiality impact is present.

RemediationAI

The primary fix is upgrading to a patched kernel version: 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0 depending on the active stable branch. Each fix adds a single percpu_ref_put() call on the vm_insert_page() error path in p2pmem_alloc_mmap(); patch commits are listed at kernel.org stable (see references above). Distribution-maintained kernels from Red Hat, Ubuntu, SUSE, and Debian should be monitored for backported stable updates to their respective kernel packages. Where immediate patching is not possible and the P2PDMA feature is not required, operators can rebuild the kernel with CONFIG_PCI_P2PDMA=n to eliminate the vulnerable code path entirely - this disables peer-to-peer DMA acceleration as a trade-off. Alternatively, restricting unprivileged access to PCI P2PDMA character devices reduces exposure by preventing low-privileged users from invoking the mmap path, though this may not fully prevent the condition if privileged processes also use this path.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy