Description
In the Linux kernel, the following vulnerability has been resolved:

net: phy: intel-xway: fix OF node refcount leakage

Automated review spotted am OF node reference count leakage when
checking if the 'leds' child node exists.

Call of_put_node() to correctly maintain the refcount.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Leak / Potential Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw exists in the Linux kernel’s Intel Xway PHY driver where an Open Firmware (OF) node’s reference count is incorrectly left incremented when the driver checks for a child ‘leds’ node. Because the reference is never released, the node remains allocated, leading to a gradual consumption of kernel memory and an increase in resource usage. If the leak continues unchecked, it can cause system instability or a denial‑of‑service condition. This issue is classified as a resource leak (CWE‑772).

Affected Systems

The vulnerability affects systems running Linux kernel 6.19, specifically the release candidates 6.19‑rc1 through 6.19‑rc6. The kernel’s Open Firmware node reference counting in the Intel Xway PHY driver is the component that is impacted.

Risk and Exploitability

According to the supplied CVSS score of 5.5, the severity is moderate. The EPSS score is below 1 %, indicating a very low probability of exploitation as of the last assessment. It is not listed in the CISA KEV catalog, further suggesting that no widespread exploitation has been reported. The likely attack vector is local and requires triggering the driver’s device initialization that performs the flawed ‘leds’ node check; thus it would be limited to users with kernel or device‑driver access. The overall risk remains moderate but likely low for most environments.

Generated by OpenCVE AI on April 17, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the fix, such as any release newer than 6.19‑rc6 or any later stable kernel that contains the OF node refcount patch.
  • If your environment cannot be updated immediately, obtain the upstream patch from the referenced commit links and apply it to your kernel source tree, then rebuild and install the kernel.
  • Monitor kernel logs and memory usage for signs of abnormal resource consumption, and ensure that device access is restricted to trusted users if feasible.

Generated by OpenCVE AI on April 17, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF node refcount leakage Automated review spotted am OF node reference count leakage when checking if the 'leds' child node exists. Call of_put_node() to correctly maintain the refcount.
Title net: phy: intel-xway: fix OF node refcount leakage
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:20.980Z

Reserved: 2026-01-13T15:37:45.960Z

Link: CVE-2026-23081

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:18.873

Modified: 2026-03-18T13:44:29.013

Link: CVE-2026-23081

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23081 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses