CVE-2026-23027 - Vulnerability Details

- LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()

Description

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()

In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_pch_pic_destroy() is not currently doing this, that
would lead to a memory leak.

So, fix it.

Published: 2026-01-31

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the LoongArch KVM implementation of the Linux kernel. During device creation, the kernel allocates a kvm_device structure but does not release that memory when the device is destroyed, leading to a memory leak. The impact is a gradual accumulation of orphaned memory that can exhaust system resources, potentially resulting in degraded performance or denial of service if the leak persists for enough time.

Affected Systems

Affected systems are Linux kernel builds that include the KVM module for the LoongArch architecture. The vulnerability applies specifically to LoongArch-enabled kernels; vendor and version information is not enumerated in the CNA data, so any kernel with the KVM module that has not yet incorporated the upstream fix is susceptible.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score is below 1 %, indicating a very low probability of exploitation under normal conditions. The vulnerability is not listed in CISA’s KEV catalog, underscoring that it has not been linked to known exploit activity. The likely attack path requires an attacker to create and delete a KVM device on a LoongArch system, which is an operation typically performed by privileged users or within the context of VM management. Because no remote trigger is described, exploitation would be limited to environments where the attacker can control the creation of virtual devices or repeatedly alter the resource usage of a target system to provoke a memory exhaustion scenario.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e785dfacf7e7fe94370fa0e8e3ff1bc8fe179831`	affected	< fc53a66227af08d868face4b33fa8b2e1ba187ed
`e785dfacf7e7fe94370fa0e8e3ff1bc8fe179831`	affected	< 1cf342a7c3adc5877837b53bbceb5cc9eff60bbf

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.7`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to the latest release that incorporates the commit fixing kvm_pch_pic_destroy() in the LoongArch KVM subsystem. The patch is available in the upstream Linux kernel source and is referenced by the advisory.
If a kernel upgrade is unavailable, restrict the creation and repeated destruction of LoongArch KVM devices by limiting user privileges or applying cgroup-based memory limits on virtual machine processes.
Continuously monitor system memory usage and the number of active KVM devices; if memory growth or a high count of orphaned devices is detected, reboot the kernel or isolate the affected VMs to prevent resource exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf
https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed
https://lore.kernel.org/linux-cve-announce/2026013119-CVE-2026-23027-119a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23027
https://www.cve.org/CVERecord?id=CVE-2026-23027

History

Sat, 18 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399 CWE-401

Mon, 02 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026013119-CVE-2026-23027-119a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23027 https://www.cve.org/CVERecord?id=CVE-2026-23027

Sat, 31 Jan 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak. So, fix it.
Title		LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-01-31T11:42:06.183Z

Updated: 2026-02-09T08:37:21.456Z

Reserved: 2026-01-13T15:37:45.941Z

Link: CVE-2026-23027

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-01-31T12:16:06.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23027

Redhat

Severity :

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23027 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object