Skip to main content

Linux Kernel EUVDEUVD-2026-32394

| CVE-2026-45928 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x4v9-v29c-xh9h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only access to a hardware device node with low-privilege user; no confidentiality or integrity impact; repeated leaks cause kernel memory exhaustion.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 12:54 vuln.today
CVSS changed
Jun 25, 2026 - 12:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: chips-media: wave5: Fix memory leak on codec_info allocation failure

In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is allocated via kzalloc(). If the subsequent allocation for inst->codec_info fails, the functions return -ENOMEM without freeing the previously allocated instance, causing a memory leak.

Fix this by calling kfree() on the instance in this error path to ensure it is properly released.

AnalysisAI

Memory leak in the Linux kernel's chips-media wave5 VPU media driver allows a local low-privileged user to exhaust kernel memory, resulting in denial of service. The flaw exists in both the encoder and decoder open paths - wave5_vpu_open_enc() and wave5_vpu_open_dec() - where a VPU instance allocated via kzalloc() is not freed when the subsequent codec_info allocation fails. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting the hardware-specific and local-only nature of this issue.

Technical ContextAI

The affected code resides in drivers/media/platform/chips-media/wave5/ within the Linux kernel media subsystem, specifically the Chips&Media Wave5 VPU (Video Processing Unit) codec driver. CWE-401 (Missing Release of Memory after Effective Lifetime) describes the root cause: an error path in the kernel's open routines for encoding and decoding sessions allocates a vpu instance struct via kzalloc(), then fails to call kfree() on it before returning -ENOMEM when the secondary codec_info allocation fails. Repeated triggering of this path (e.g., under artificial memory pressure) accumulates unreferenced kernel heap allocations. The CPE data (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*) confirms the scope is the Linux kernel itself, though exploitation is practically restricted to systems with Chips&Media Wave5 hardware. The 'Information Disclosure' tag in the source data appears misclassified - the CVSS vector (C:N) and description confirm no confidentiality impact; availability exhaustion is the sole outcome.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched stable release: 6.12.75, 6.18.14, 6.19.4, or 7.0, as confirmed by upstream stable commits at https://git.kernel.org/stable/c/52defdd4034db1a34bb48006f889d66a3629224b (6.19.x), https://git.kernel.org/stable/c/1de71556cbd6e1d0d26fb86b9b3bb8caa0df8495 (6.18.x), https://git.kernel.org/stable/c/32e9e45cf7e3422d21fa64535588d3572faf71c3, and https://git.kernel.org/stable/c/a519e21e32398459ba357e67b541402f7295ee1b. As a compensating control on systems that cannot be patched immediately, unloading or blacklisting the wave5 kernel module (modprobe -r wave5; echo 'blacklist wave5' >> /etc/modprobe.d/wave5-blacklist.conf) prevents the vulnerable code paths from being reachable entirely - the trade-off is loss of Wave5 VPU hardware acceleration. Access to the VPU device node (typically /dev/video* or similar) can also be restricted via udev rules or filesystem permissions to deny unprivileged users from triggering the open paths, reducing exposure without fully disabling the driver.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy