Description
In the Linux kernel, the following vulnerability has been resolved:

gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths

The reference obtained by calling usb_get_dev() is not released in the
gpio_mpsse_probe() error paths. Fix that by using device managed helper
functions. Also remove the usb_put_dev() call in the disconnect function
since now it will be released automatically.
Published: 2026-01-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Patch
AI Analysis

Impact

A reference leak in the Linux kernel’s MPSSE GPIO driver occurs when usb_get_dev() is called during device probe but not released on error paths. The missing usb_put_dev() causes the USB device reference to accumulate, potentially exhausting kernel references and leading to system instability or denial of service. This flaw is a kernel resource management weakness that can be categorized as a reference or memory leak.

Affected Systems

Linux kernel versions 6.13 and 6.19 (release candidates 1 through 8) are affected. The issue exists in the gpio-mpsse driver that is compiled into these kernel releases. Users running these kernel versions with MPSSE-enabled USB devices are exposed.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS probability is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting low likelihood of widespread exploitation. An attacker would need physical or local access to the target system to trigger the probe error path, typically by connecting a USB MPSSE device or causing a probe failure. If the bug is repeatedly exercised, it could degrade performance or crash the kernel, but remote exploitation without local access is not indicated.

Generated by OpenCVE AI on April 18, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a Linux kernel update that includes the MPSSE reference‑leak patch (e.g., any release newer than 6.13 or 6.19 RC8).
  • If an update is not immediately available, unload the mpsse driver and prevent it from loading at boot by blacklisting the module or removing its init script.
  • Restart the system after applying the changes to clear any accumulated references and ensure the driver is no longer active.

Generated by OpenCVE AI on April 18, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 31 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically.
Title gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:08.715Z

Reserved: 2026-01-13T15:37:45.940Z

Link: CVE-2026-23015

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-31T12:16:04.797

Modified: 2026-03-25T18:11:59.657

Link: CVE-2026-23015

cve-icon Redhat

Severity :

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses