Description
In the Linux kernel, the following vulnerability has been resolved:

most: core: fix resource leak in most_register_interface error paths

The function most_register_interface() did not correctly release resources
if it failed early (before registering the device). In these cases, it
returned an error code immediately, leaking the memory allocated for the
interface.

Fix this by initializing the device early via device_initialize() and
calling put_device() on all error paths.

The most_register_interface() is expected to call put_device() on
error which frees the resources allocated in the caller. The
put_device() either calls release_mdev() or dim2_release(),
depending on the caller.

Switch to using device_add() instead of device_register() to handle
the split initialization.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Linux kernel function most_register_interface. When registration of a device interface fails early, the routine returns an error without releasing the memory it allocated for the interface, leading to a resource leak. This flaw can accumulate over repeated failures, potentially exhausting system memory, degrading performance, or culminating in a denial‑of‑service condition. The weakness reflects classic resource‑management vulnerabilities.

Affected Systems

All Linux kernel builds containing the unpatched most_register_interface function are affected. The patch was introduced in a series of commits referenced in the advisory; any kernel version shipped before those commits is vulnerable. The advisory does not specify particular kernel releases, so the impact applies to any kernel lacking the fix.

Risk and Exploitability

Because the leak is triggered only when most_register_interface fails early, a direct exploitation vector is limited. The CVSS score of 5.5 indicates medium severity, while an EPSS score of less than 1% signals a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The risk primarily materializes over time through memory exhaustion, especially in environments that frequently experience this error path. Monitoring and patching are therefore the most effective mitigations.

Generated by OpenCVE AI on May 13, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the most_register_interface patch commit
  • If an immediate kernel upgrade is not possible, rebuild the kernel with the latest upstream source that incorporates the fix
  • Temporarily disable or unload any kernel modules that invoke most_register_interface until the patched kernel is in place

Generated by OpenCVE AI on May 13, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Wed, 06 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in most_register_interface error paths The function most_register_interface() did not correctly release resources if it failed early (before registering the device). In these cases, it returned an error code immediately, leaking the memory allocated for the interface. Fix this by initializing the device early via device_initialize() and calling put_device() on all error paths. The most_register_interface() is expected to call put_device() on error which frees the resources allocated in the caller. The put_device() either calls release_mdev() or dim2_release(), depending on the caller. Switch to using device_add() instead of device_register() to handle the split initialization.
Title most: core: fix resource leak in most_register_interface error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:57:11.195Z

Reserved: 2026-03-17T09:08:18.458Z

Link: CVE-2025-71272

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:27.213

Modified: 2026-05-12T21:28:49.290

Link: CVE-2025-71272

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2025-71272 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T02:00:11Z

Weaknesses