Description
In the Linux kernel, the following vulnerability has been resolved:

octeon_ep: Fix memory leak in octep_device_setup()

In octep_device_setup(), if octep_ctrl_net_init() fails, the function
returns directly without unmapping the mapped resources and freeing the
allocated configuration memory.

Fix this by jumping to the unsupported_dev label, which performs the
necessary cleanup. This aligns with the error handling logic of other
paths in this function.

Compile tested only. Issue found using a prototype static analysis tool
and code review.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

A function in the Linux kernel driver for octeon_ep leaks memory when initialization of the control network fails. The code returns early without unmapping mapped resources and freeing allocated configuration memory, creating a kernel‑level memory leak. The overall impact is the gradual exhaustion of kernel memory that could eventually cause system instability or denial of service. The weakness is documented as CWE-401, "Improper Release of Memory or Other Resource During a Failure Condition."

Affected Systems

The vulnerability is present in the octeon_ep driver within the Linux 6.19 release candidate kernels (rc1 through rc7). Users running any 6.19rcx kernel are affected unless the patch that corrects the early return has been applied. No other kernel versions are listed as affected.

Risk and Exploitability

The CVSS score of 5.5 places the issue in the moderate severity range. The EPSS score of less than 1 % indicates that current exploitation probability is very low, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need local privileged or root access in order to trigger failures in octep_device_setup(), as the vulnerable code executes during device initialization. The risk is therefore primarily local and could lead to memory exhaustion through repeated failures, but it is unlikely to be abused via a public remote attack vector.

Generated by OpenCVE AI on April 18, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the octeon_ep memory‑leak fix
  • If a kernel update is unavailable, disable the octeon_ep driver by preventing its module from loading or unloading the module with rmmod
  • Monitor system logs for repeated octeon_ep initialization failures and supervise kernel memory usage for abnormal growth

Generated by OpenCVE AI on April 18, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix memory leak in octep_device_setup() In octep_device_setup(), if octep_ctrl_net_init() fails, the function returns directly without unmapping the mapped resources and freeing the allocated configuration memory. Fix this by jumping to the unsupported_dev label, which performs the necessary cleanup. This aligns with the error handling logic of other paths in this function. Compile tested only. Issue found using a prototype static analysis tool and code review.
Title octeon_ep: Fix memory leak in octep_device_setup()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:01:25.900Z

Reserved: 2026-01-13T15:37:45.979Z

Link: CVE-2026-23160

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T16:15:56.177

Modified: 2026-03-18T14:12:40.197

Link: CVE-2026-23160

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23160 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:30:45Z

Weaknesses