CVE-2026-23030 - Vulnerability Details

- phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()

Description

In the Linux kernel, the following vulnerability has been resolved:

phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()

The for_each_available_child_of_node() calls of_node_put() to
release child_np in each success loop. After breaking from the
loop with the child_np has been released, the code will jump to
the put_child label and will call the of_node_put() again if the
devm_request_threaded_irq() fails. These cause a double free bug.

Fix by returning directly to avoid the duplicate of_node_put().

Published: 2026-01-31

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The double free occurs in the Rockchip USB‑2.0 PHY driver when the probe routine calls of_node_put() twice on a device node that has already been released. The result is a classic Use‑After‑Free that can corrupt kernel memory and potentially lead to a kernel crash or, in an ideal scenario, kernel‐level code execution. Based on the description, it is inferred that an attacker who can influence the probe flow—such as by manipulating device tree entries or forcing the driver to load—can trigger the vulnerability.

Affected Systems

All Linux kernel versions that contain the buggy rockchip_usb2phy_probe() implementation are affected. This code resides in the generic Linux kernel source for Rockchip System‑on‑Chip support and is shipped in all distributions that provide a kernel with this PCI/USB PHY driver. The vulnerability persists until the commit that removes the redundant of_node_put() is applied, with no specific version range given.

Risk and Exploitability

The EPSS score is reported as less than 1 %, and the vulnerability is not listed in CISA’s KEV catalogue, indicating a low likelihood of active exploitation. No public exploits are known, and exploitation would likely require local kernel access or privilege escalation to load a module that initiates the probe routine. The impact is limited to kernel memory corruption and potential denial of service, with arbitrary code execution remaining theoretical.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ed2b5a8e6b98d042b323afbe177a5dc618921b31`	affected	< b97b2c9808c9a97e0ce30216fa12096d8b0eaa75
`ed2b5a8e6b98d042b323afbe177a5dc618921b31`	affected	< ebae26dd15140b840cf65be5e1c0daee949ba70b
`ed2b5a8e6b98d042b323afbe177a5dc618921b31`	affected	< 027d42b97e6eb827c3438ebc09bab7efaee9270d
`ed2b5a8e6b98d042b323afbe177a5dc618921b31`	affected	< efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5
`ed2b5a8e6b98d042b323afbe177a5dc618921b31`	affected	< e07dea3de508cd6950c937cec42de7603190e1ca

Linux

affected

Version	Status	Constraints
`5.17`	affected	—
`0`	unaffected	< 5.17
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.67`	unaffected	≤ 6.12.*
`6.18.7`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the patch fixing the double free bug
Reboot the system after the kernel update so the new image takes effect
If a patch cannot be applied immediately, disable or remove Rockchip USB‑2.0 PHY support in the kernel configuration to prevent the vulnerable execution path

Generated by OpenCVE AI on April 18, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d
https://git.kernel.org/stable/c/b97b2c9808c9a97e0ce30216fa12096d8b0eaa75
https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca
https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b
https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5
https://lore.kernel.org/linux-cve-announce/2026013120-CVE-2026-23030-9cb8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23030
https://www.cve.org/CVERecord?id=CVE-2026-23030

History

Sat, 18 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/b97b2c9808c9a97e0ce30216fa12096d8b0eaa75

Tue, 03 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026013120-CVE-2026-23030-9cb8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23030 https://www.cve.org/CVERecord?id=CVE-2026-23030

Sat, 31 Jan 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put().
Title		phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-01-31T11:42:08.525Z

Updated: 2026-02-09T08:37:24.591Z

Reserved: 2026-01-13T15:37:45.942Z

Link: CVE-2026-23030

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-01-31T12:16:06.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23030

Redhat

Severity :

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23030 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object