CVE-2025-71272 - Vulnerability Details

- most: core: fix resource leak in most_register_interface error paths

Description

In the Linux kernel, the following vulnerability has been resolved:

most: core: fix resource leak in most_register_interface error paths

The function most_register_interface() did not correctly release resources
if it failed early (before registering the device). In these cases, it
returned an error code immediately, leaking the memory allocated for the
interface.

Fix this by initializing the device early via device_initialize() and
calling put_device() on all error paths.

The most_register_interface() is expected to call put_device() on
error which frees the resources allocated in the caller. The
put_device() either calls release_mdev() or dim2_release(),
depending on the caller.

Switch to using device_add() instead of device_register() to handle
the split initialization.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the most_register_interface function of the Linux kernel. When registration fails early, the function returns an error without freeing memory allocated for the device interface, causing a resource leak. This leak can lead to exhaustion of system memory, potentially degrading performance or causing a denial-of-service condition. The flaw is a classic instance of CWE-400: Resource Manipulation or Release.

Affected Systems

All Linux kernel builds that contain the unpatched most_register_interface routine are affected. The patch was introduced in the commit series referenced in the advisory; any kernel version shipped before that commit is vulnerable. No specific version numbers are listed, so the impact applies to all kernels lacking the fix.

Risk and Exploitability

Based on the description, the vulnerability is a memory resource leak that occurs when most_register_interface() fails early and returns an error without freeing allocated memory. The incident does not specify any direct exploitation vector but the leak can accumulate over time, potentially exhausting memory and causing a denial-of-service. The analysis of the risk level is inferred from the nature of memory leaks; a system that repeatedly triggers this error path could suffer memory exhaustion, yet a single occurrence is unlikely to manifest a noticeable impact. Because the issuance includes no active exploitation reports, the EPSS score is not available and the vulnerability is not listed in KEV. The ultimate risk depends on workload characteristics and the likelihood of repeated failure, but no concrete evidence of exploitation is present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a49028a796d7b94f8e3ab9bd34b18f36be235459
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< af0b99b2214a10554adb5b868240d23af6e64e71
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2f483f3817fb0e4209ac5de928778b1da0cc8574
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1f4c9d8a1021281750c6cda126d6f8a40cc24e71

Linux

affected

Version	Status	Constraints
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a49028a796d7b94f8e3ab9bd34b18f36be235459)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,af0b99b2214a10554adb5b868240d23af6e64e71)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2f483f3817fb0e4209ac5de928778b1da0cc8574)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1f4c9d8a1021281750c6cda126d6f8a40cc24e71)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the most_register_interface patch commit
If an immediate kernel upgrade is not possible, rebuild the kernel with the latest upstream source that contains the fix
Temporarily disable or unload any kernel modules that invoke most_register_interface until the patched kernel is in place

Generated by OpenCVE AI on May 6, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1f4c9d8a1021281750c6cda126d6f8a40cc24e71
https://git.kernel.org/stable/c/2f483f3817fb0e4209ac5de928778b1da0cc8574
https://git.kernel.org/stable/c/a49028a796d7b94f8e3ab9bd34b18f36be235459
https://git.kernel.org/stable/c/af0b99b2214a10554adb5b868240d23af6e64e71

History

Wed, 06 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in most_register_interface error paths The function most_register_interface() did not correctly release resources if it failed early (before registering the device). In these cases, it returned an error code immediately, leaking the memory allocated for the interface. Fix this by initializing the device early via device_initialize() and calling put_device() on all error paths. The most_register_interface() is expected to call put_device() on error which frees the resources allocated in the caller. The put_device() either calls release_mdev() or dim2_release(), depending on the caller. Switch to using device_add() instead of device_register() to handle the split initialization.
Title		most: core: fix resource leak in most_register_interface error paths
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1f4c9d8a1021281750c6cda126d6f8a40cc24e71 https://git.kernel.org/stable/c/2f483f3817fb0e4209ac5de928778b1da0cc8574 https://git.kernel.org/stable/c/a49028a796d7b94f8e3ab9bd34b18f36be235459 https://git.kernel.org/stable/c/af0b99b2214a10554adb5b868240d23af6e64e71

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:05.998Z

Updated: 2026-05-06T11:27:05.998Z

Reserved: 2026-03-17T09:08:18.458Z

Link: CVE-2025-71272

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:27.213

Modified: 2026-05-06T13:07:51.607

Link: CVE-2025-71272

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:15:08Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object