Skip to main content

Linux Kernel EUVDEUVD-2026-32424

| CVE-2026-46042 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pmw2-6gh9-j59g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local sysfs write access at low privilege suffices to trigger unbounded kernel heap leaks; no confidentiality or integrity impact exists, only availability via OOM.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:47 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()

weighted_interleave_auto_store() fetches old_wi_state inside the if (!input) block only. This causes two memory leaks:

  1. When a user writes "false" and the current mode is already manual,

the function returns early without freeing the freshly allocated new_wi_state.

  1. When a user writes "true", old_wi_state stays NULL because the

fetch is skipped entirely. The old state is then overwritten by rcu_assign_pointer() but never freed, since the cleanup path is gated on old_wi_state being non-NULL. A user can trigger this repeatedly by writing "1" in a loop.

Fix both leaks by moving the old_wi_state fetch before the input check, making it unconditional. This also allows a unified early return for both "true" and "false" when the requested mode matches the current mode.

Reviewed by: Donet Tom <donettom@linux.ibm.com>

AnalysisAI

Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The weighted_interleave_auto_store() function in mm/mempolicy.c fails to free new_wi_state on an early-return path and fails to free the old state object when overwritten via rcu_assign_pointer() when processing 'true' writes, because old_wi_state is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.

Technical ContextAI

The vulnerability resides in mm/mempolicy.c, the Linux kernel's NUMA memory policy subsystem, specifically the sysfs attribute write handler weighted_interleave_auto_store(). CWE-401 (Missing Release of Memory after Effective Lifetime) describes the root cause: two distinct heap allocation paths exit without calling kfree() on previously allocated or replaced kernel objects. In leak path 1, a fresh new_wi_state allocation is made before the input check, but if the user writes 'false' and the current mode is already manual, the function returns early without freeing it. In leak path 2 (the more severe), writing 'true' skips the old_wi_state fetch entirely because that fetch is inside the if (!input) block; rcu_assign_pointer() then overwrites the live pointer with the new state, permanently orphaning the old allocation since the cleanup path is gated on old_wi_state != NULL. The fix (commits 39caa9ca, 6fae274c, c42a7efb) moves old_wi_state fetch unconditionally before the input check. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* from commit e341f9c3c841.

RemediationAI

Upgrade to Linux kernel 6.18.27, 7.0.4, or 7.1-rc1 or later, which include the one-line fix moving old_wi_state fetch before the input conditional. The upstream stable fix commits are at https://git.kernel.org/stable/c/39caa9ca863f96b3d00447c5aa200cabda489856, https://git.kernel.org/stable/c/6fae274ce0e3109cbbc4c18b354eaace1f0af7d7, and https://git.kernel.org/stable/c/c42a7efb9060d89b72708ffaf255d0002c2164a7; distribution maintainers (Red Hat, Ubuntu, SUSE, Debian) should be consulted for downstream package advisories. Where immediate kernel upgrade is not feasible, restrict write permissions on the weighted interleave sysfs interface (typically under /sys/kernel/mm/mempolicy/weighted_interleave/) to root only using chmod o-w or equivalent DAC controls - this eliminates the attack surface for unprivileged local users but disables their ability to tune NUMA weighted interleave policy, which is an acceptable trade-off for most production workloads. On systems where weighted interleave NUMA policy is not used at all, kernel recompilation without CONFIG_NUMA_BALANCING or the relevant policy option removes the code path entirely, though this is a high-effort mitigation.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy