Skip to main content

Linux Kernel EUVDEUVD-2026-32466

| CVE-2026-46083 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6fq9-84g8-2vc6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local PR:L access required to trigger SPI setup failures; resource leak produces only availability impact with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:28 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: fix resource leaks on device setup failure

Make sure to call controller cleanup() if spi_setup() fails while registering a device to avoid leaking any resources allocated by setup().

AnalysisAI

Resource leak in the Linux kernel SPI subsystem allows a local low-privileged attacker to exhaust kernel resources and cause denial of service. The flaw affects multiple stable kernel branches (5.4.x through 7.x) and occurs when spi_setup() fails during SPI device registration, leaving resources allocated by setup() unreleased because the controller cleanup() callback is never invoked on the error path. No public exploit exists and EPSS sits at 0.02% (5th percentile), indicating very low real-world exploitation probability; this is a stability fix appropriate for routine patching rather than emergency response.

Technical ContextAI

The affected component is the SPI (Serial Peripheral Interface) subsystem in the Linux kernel, identified by CPE cpe:2.3:o:linux:linux_kernel:*. CWE-401 (Missing Release of Memory after Effective Lifetime) describes the root cause: the error handling path in spi_setup() during device registration omits invoking the SPI controller driver's cleanup() callback, which is responsible for releasing resources previously allocated by the corresponding setup() call. Each failed registration attempt therefore leaks kernel-managed resources. Notably, the 'Information Disclosure' tag present in source metadata is inconsistent with both the CWE-401 classification and the CVSS impact metrics (C:N/I:N), and appears to be a mislabeling - the actual impact is purely availability through resource exhaustion, not confidentiality.

RemediationAI

Upgrade to the appropriate patched stable kernel release for your branch: 5.4.126 or later, 5.10.44 or later, 5.12.11 or later, 6.6.140, 6.12.86, 6.18.27, 7.0.4, or the 7.1-rc1 tree. Fix commits are available via kernel.org stable trees referenced above. Distribution maintainers (Red Hat, Debian, Ubuntu, SUSE) are expected to backport these fixes into their respective packages; apply vendor-provided kernel updates as soon as they become available. If an immediate kernel upgrade is not feasible, restricting unprivileged local user access to SPI device configuration interfaces reduces exposure, though no specific sysctl or kernel module parameter has been identified as a targeted workaround. Disabling unused SPI controller drivers via kernel build configuration or module blacklisting eliminates the attack surface entirely in environments that do not require SPI functionality, with the trade-off of losing SPI peripheral support.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.158 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.144 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.173 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.144 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-32466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy