Skip to main content

Linux Kernel EUVDEUVD-2026-32392

| CVE-2026-45926 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8pjm-37v5-rw5h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector with low privilege required to trigger PWM initialization; pure memory leak yields no confidentiality or integrity impact, only availability.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 25, 2026 - 12:54 vuln.today
CVSS changed
Jun 25, 2026 - 12:52 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

rust: pwm: Fix potential memory leak on init error

When initializing a PWM chip using pwmchip_alloc(), the allocated device owns an initial reference that must be released on all error paths.

If __pinned_init() were to fail, the allocated pwm_chip would currently leak because the error path returns without calling pwmchip_put().

AnalysisAI

Memory leak in the Linux kernel's Rust-language PWM subsystem allows a local low-privileged attacker to gradually exhaust kernel memory through repeated PWM chip initialization failures. The pwmchip_alloc() function allocates a device structure holding an initial reference that must be explicitly released via pwmchip_put() on error paths, but when __pinned_init() fails the reference is never dropped, leaking the pwm_chip allocation. EPSS stands at 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, indicating no known active exploitation; no public exploit code has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Rust-language implementation of the Linux kernel PWM (Pulse Width Modulation) subsystem, introduced as part of ongoing Rust-for-Linux efforts to rewrite driver infrastructure. PWM chips are kernel-managed hardware abstractions used for motor control, LED dimming, and clock generation; pwmchip_alloc() allocates the containing device structure and increments an initial reference count. Correct lifecycle management under the kernel's reference-counting model mandates that every error path calls pwmchip_put() to decrement this reference before returning, triggering the allocator's release callback when the count hits zero. CWE-401 (Missing Release of Memory after Effective Lifetime) precisely describes the root cause: the __pinned_init() Rust macro initialization function can return an error without the caller invoking pwmchip_put(), permanently orphaning the allocation. CPE data (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) covers all Linux kernel versions within the commit range 7b3dce814a15bc5d9fb6124cd945291012c4ebb9 through the fix commits. Note that the input tag 'Information Disclosure' conflicts with the actual CWE-401 classification and CVSS impact metrics (C:N, I:N, A:H); this tag appears to be an erroneous classification artifact and should not inform risk decisions.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel release: Linux 6.19.4 or Linux 7.0 contain the fix per EUVD-2026-32392 version data. Administrators running a kernel built from source can apply the upstream stable commits directly at https://git.kernel.org/stable/c/a2633dc243c35754a0c2270131d8a199c987c9bf or https://git.kernel.org/stable/c/baa8b7097d9cc68ff85819cf683972a58c2ce32b. Distribution vendors (Debian, Ubuntu, RHEL, SUSE) will typically backport the fix to their supported kernel series; check distribution security advisories for per-distro package versions. As a compensating control on systems where a kernel upgrade is not immediately feasible, ensure that only privileged and trusted users have the ability to load or configure PWM kernel modules (CAP_SYS_MODULE or equivalent), which reduces the likelihood that an unprivileged user can repeatedly trigger the failing initialization path. Note that the vulnerability is not actively exploited and poses no confidentiality or integrity risk, so a scheduled maintenance window upgrade is appropriate rather than emergency patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-32392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy