Description
In the Linux kernel, the following vulnerability has been resolved:

LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()

In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_ipi_destroy() is not currently doing this, that
would lead to a memory leak.

So, fix it.
Published: 2026-01-31
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs in the Linux kernel when a kvm_device is created via kvm_ioctl_create_device(). The destroy function is expected to free the kvm_device structure, but kvm_ipi_destroy() does not perform the deallocation, creating a memory leak. The affected component is the LoongArch KVM implementation. Attacking this flaw cannot directly compromise confidentiality or integrity, but repeated exploitation could exhaust memory resources, potentially affecting stability and availability.

Affected Systems

All installations of the Linux kernel that include the LoongArch KVM subsystem, prior to the patch that corrects kvm_ipi_destroy(). The CNA lists the affected vendor as Linux. No specific kernel versions are enumerated in the advisory; thus any kernel with the uncorrected code may be impacted.

Risk and Exploitability

The EPSS score is less than 1 % and the issue is not listed in the CISA KEV catalog, indicating a low likelihood of exploitation in the wild. The flaw does not provide a remote code execution or privilege escalation vector; its exploitation requires repeated interactions with the KVM API, typically from a guest or privileged user. The impact remains limited to resource exhaustion rather than a direct compromise.

Generated by OpenCVE AI on April 18, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the kvm_ipi_destroy() memory leak fix from the Linux kernel branch.
  • If a kernel update is not possible, manually apply the patch from the Linux kernel git repository and rebuild the kernel.
  • Reboot the system to load the patched kernel and verify that the memory leak no longer occurs.

Generated by OpenCVE AI on April 18, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 31 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it.
Title LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:22.464Z

Reserved: 2026-01-13T15:37:45.942Z

Link: CVE-2026-23028

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-01-31T12:16:06.120

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23028

cve-icon Redhat

Severity :

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23028 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses