Description
In the Linux kernel, the following vulnerability has been resolved:

slimbus: core: fix device reference leak on report present

Slimbus devices can be allocated dynamically upon reception of
report-present messages.

Make sure to drop the reference taken when looking up already registered
devices.

Note that this requires taking an extra reference in case the device has
not yet been registered and has to be allocated.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Uncontrolled Resource Consumption (Potential Denial of Service)
Action: Patch
AI Analysis

Impact

A bug in the Linux kernel's slimbus core module caused a reference leak when the driver processed report‑present messages. When a new slimbus device is dynamically allocated, the kernel mistakenly retains an extra reference to the device object if it already exists, preventing the reference counter from dropping to the correct value. This over‑counting permits the kernel to keep more device objects alive than intended, which can exhaust kernel resources or cause erratic behavior such as memory pressure, degraded performance, or kernel instability.

Affected Systems

Devices running recent releases of the Linux kernel, specifically the 6.19 release candidates (rc1 through rc6) and any kernel images derived from those, are affected because the bug resides in the upstream core slimbus driver.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 5.5, indicating moderate severity. EPSS indicates a very low likelihood of exploitation, and the flaw is not listed in the CISA KEV catalog. Exploitation would require an attacker to be able to trigger report‑present messages to a target kernel with a slimbus device; this is likely limited to environments where the attacker can influence the connection of such devices to the kernel, making broad remote exploitation unlikely.

Generated by OpenCVE AI on April 18, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the reference‑leak fix (e.g., 6.19 rc7 or later).
  • If an immediate kernel upgrade is not possible, disable the slimbus driver by setting the kernel parameter 'slimbus.disable=1' or blacklisting the module to prevent the vulnerable code from loading.
  • Monitor kernel resource usage and kernel logs for signs of excessive slimbus object counts or memory pressure, and adjust system limits or device usage accordingly.

Generated by OpenCVE AI on April 18, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
History

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated.
Title slimbus: core: fix device reference leak on report present
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:30.400Z

Reserved: 2026-01-13T15:37:45.962Z

Link: CVE-2026-23090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:19.877

Modified: 2026-03-17T21:09:35.300

Link: CVE-2026-23090

cve-icon Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23090 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses