Skip to main content

Linux Kernel EUVDEUVD-2026-32768

| CVE-2026-46141 MEDIUM
Memory Leak (CWE-401)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r2vf-f3jw-34mm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges needed to trigger MSI-X allocation; impact is kernel memory exhaustion only, with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:29 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

powerpc/xive: fix kmemleak caused by incorrect chip_data lookup

The kmemleak reports the following memory leak:

Unreferenced object 0xc0000002a7fbc640 (size 64): comm "kworker/8:1", pid 540, jiffies 4294937872 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................ 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................ backtrace (crc 177d48f6): __kmalloc_cache_noprof+0x520/0x730 xive_irq_alloc_data.constprop.0+0x40/0xe0 xive_irq_domain_alloc+0xd0/0x1b0 irq_domain_alloc_irqs_parent+0x44/0x6c pseries_irq_domain_alloc+0x1cc/0x354 irq_domain_alloc_irqs_parent+0x44/0x6c msi_domain_alloc+0xb0/0x220 irq_domain_alloc_irqs_locked+0x138/0x4d0 __irq_domain_alloc_irqs+0x8c/0xfc __msi_domain_alloc_irqs+0x214/0x4d8 msi_domain_alloc_irqs_all_locked+0x70/0xf8 pci_msi_setup_msi_irqs+0x60/0x78 __pci_enable_msix_range+0x54c/0x98c pci_alloc_irq_vectors_affinity+0x16c/0x1d4 nvme_pci_enable+0xac/0x9c0 [nvme] nvme_probe+0x340/0x764 [nvme]

This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.

When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.

This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.

Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().

AnalysisAI

Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.

Technical ContextAI

XIVE (eXternal Interrupt Virtualization Engine) is the interrupt controller subsystem for IBM POWER9 and later processors, replacing the older XICS controller. The IRQ subsystem allocates a struct xive_irq_data per interrupt via xive_irq_alloc_data() and anchors it to irq_data->chip_data within the XIVE parent irqdomain. After commit cc0cc23babc9 ('powerpc/xive: Untangle xive from child interrupt controller drivers'), the cleanup function xive_irq_free_data() was changed to retrieve chip_data via irq_get_chip_data(), which resolves through the child irqdomain rather than the XIVE parent domain where the data actually resides. The lookup returns stale or null data, so the kfree path is never reached. CWE-401 (Missing Release of Memory after Effective Lifetime) precisely characterizes this: a valid, reachable allocation whose cleanup path silently fails due to an incorrect domain traversal introduced by a refactor. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers the full kernel scope, but impact is narrowed to powerpc/XIVE codepath at runtime.

RemediationAI

Vendor-released patches are available: upgrade to Linux 6.18.30 or later on the 6.18 stable series, Linux 7.0.7 or later on the 7.0 stable series, or any mainline release from 7.1-rc1 onward. Fix commits can be cherry-picked from the kernel stable tree at https://git.kernel.org/stable/c/e66ed135cdf23a318e9727dca48f98f7f6142f78, https://git.kernel.org/stable/c/6771c54728c278bf1e4bfdab4fddbbb186e33498, and https://git.kernel.org/stable/c/2546fb8c9acc8c7512ed4339ce2a982cb7407065. On unpatched systems, restricting the rate of NVMe MSI-X allocation/deallocation cycles (e.g., limiting device hot-plug operations, reducing NVMe probe/remove churn in workloads) can slow memory accumulation but does not eliminate the underlying leak. Enabling kernel memory leak detection (CONFIG_DEBUG_KMEMLEAK) can help operators quantify leak severity prior to patching, though it adds runtime overhead and is not suitable for production without careful tuning.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy