The vulnerability is a memory leak in the DRM IMX TVE driver of the Linux kernel. During probe failure, the driver retains a reference to the DDC device, and it also fails to release the reference when the driver is unbound. This can lead to a gradual increase in kernel memory usage as repeated probe attempts or module reloads accumulate unreleased references, potentially degrading system performance or causing instability that could culminate in an out‑of‑memory condition.

It affects all Linux kernel source trees in the 6.19 release candidates (RC1 through RC7) that include the drm/imx/tve driver. The bug is present in any kernel built from those sources and has been fixed in the stable 6.19 release once the patch is applied. Systems running these kernels on devices that include the IMX TVE component are at risk, and users of distributions shipping those kernels should verify whether their kernel version is affected.

The CVSS score is 5.5, indicating medium severity. The EPSS score is below 1%, so the likelihood of exploitation is very low. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector would be local: an attacker who can trigger the driver probe on a system that uses the affected kernel and includes the IMX TVE device. Since the flaw is a resource leak rather than an arbitrary code execution flaw, an attacker would need to induce repeated probe failures or unload/reload the driver, which requires elevated privileges or at least access to the device interface. This makes the risk lower unless the system is exposed to untrusted users or processes.