CVE-2026-23026 - Vulnerability Details

- dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()

Description

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()

Fix a memory leak in gpi_peripheral_config() where the original memory
pointed to by gchan->config could be lost if krealloc() fails.

The issue occurs when:
1. gchan->config points to previously allocated memory
2. krealloc() fails and returns NULL
3. The function directly assigns NULL to gchan->config, losing the
reference to the original memory
4. The original memory becomes unreachable and cannot be freed

Fix this by using a temporary variable to hold the krealloc() result
and only updating gchan->config when the allocation succeeds.

Found via static analysis and code review.

Published: 2026-01-31

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the function gpi_peripheral_config() in the qcom GPI DMA engine driver contains a memory leak that occurs when a reallocation fails. The function overwrites the original configuration pointer with NULL, causing the previously allocated memory to become unreachable and unrecoverable. This flaw can gradually increase kernel memory usage and eventually destabilize the system, resulting in a denial‑of‑service scenario if the leak is triggered repeatedly. The weakness is a classic unbounded memory leak (CWE‑401).

Affected Systems

The vulnerability exists in all Linux kernel builds that include the affected driver code, specifically kernels 5.11 through 6.19 (including all release candidates) and any future releases that have not yet integrated the fix. As the product is part of the Linux kernel itself, any distribution using these kernel versions without the patch is impacted.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate severity. The EPSS score is less than 1%, reflecting a very low probability of exploitation in the current environment, and the vulnerability is not listed in the CISA KEV catalog. The description does not specify a remote attack vector; it is inferred that the exploit requires local access to influence driver configuration operations, such as repeated peripheral initializations or injection of allocation failures. If an attacker can trigger sufficient allocations and failures, they could force continuous memory growth, eventually leading to kernel crash or service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5d0c3533a19f48e5e7e73806a3e4b29cd4364130`	affected	< 4532f18e4ab36def1f55cd936d0fc002b2ce34c2
`5d0c3533a19f48e5e7e73806a3e4b29cd4364130`	affected	< 694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7
`5d0c3533a19f48e5e7e73806a3e4b29cd4364130`	affected	< 6bf4ef078fd11910988889a6c0b3698d2e0c89af
`5d0c3533a19f48e5e7e73806a3e4b29cd4364130`	affected	< 01b1d781394fc9b83015e3a3cd46b17bda842bd8
`5d0c3533a19f48e5e7e73806a3e4b29cd4364130`	affected	< 55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85
`5d0c3533a19f48e5e7e73806a3e4b29cd4364130`	affected	< 3f747004bbd641131d9396d87b5d2d3d1e182728

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.67`	unaffected	≤ 6.12.*
`6.18.7`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.11:-::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the commit that fixes gpi_peripheral_config memory leak.
If an immediate kernel upgrade is not feasible, recompile the affected driver applying the temporary variable patch so that gchan->config is only updated on successful allocation.
Monitor kernel memory usage and logs for signs of frequent allocation failures or increased memory pressure, and consider disabling unused QCOM GPI peripherals to reduce the risk of repeated leaks.

Generated by OpenCVE AI on April 18, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8162-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8180-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8186-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8187-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8188-1	Linux kernel (HWE) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8
https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728
https://git.kernel.org/stable/c/4532f18e4ab36def1f55cd936d0fc002b2ce34c2
https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85
https://git.kernel.org/stable/c/694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7
https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af
https://lore.kernel.org/linux-cve-announce/2026013119-CVE-2026-23026-5ca7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23026
https://www.cve.org/CVERecord?id=CVE-2026-23026

History

Wed, 25 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:5.11:-:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4532f18e4ab36def1f55cd936d0fc002b2ce34c2 https://git.kernel.org/stable/c/694ab1f6f16cb69f7c5ef2452b22ba7b00a3c7c7

Mon, 02 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026013119-CVE-2026-23026-5ca7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23026 https://www.cve.org/CVERecord?id=CVE-2026-23026
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Sat, 31 Jan 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review.
Title		dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8 https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728 https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85 https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-01-31T11:42:05.185Z

Updated: 2026-02-09T08:37:20.372Z

Reserved: 2026-01-13T15:37:45.941Z

Link: CVE-2026-23026

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-01-31T12:16:05.920

Modified: 2026-03-25T16:08:24.480

Link: CVE-2026-23026

Redhat

Severity : Moderate

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23026 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses

CWE-401

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object