In the Linux kernel's regulator driver for the bq257xx family, a bug in the function bq257xx_reg_dt_parse_gpio() causes the driver to skip the release of a child node reference when a required subchild cannot be retrieved. This reference leak can accumulate with repeated parsing events, eventually exhausting kernel memory and causing system instability or denial of service. The weakness is a classic reference‑counting error, classified as CWE‑772.

The vulnerability affects all Linux kernel builds that include the bq257xx regulator source code without the recent fix. This includes mainstream distributions and embedded platforms that rely on this driver. No specific version range is provided, so any kernel that predates the commit that introduced the patch is considered vulnerable.

The EPSS score is less than 1 percent, indicating a low probability of active exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog, so no confirmed exploits exist. Based on the description, it is inferred that an attacker would need local or privileged access to influence the device tree parsing logic, for example by providing a manipulated firmware image or device tree node that triggers repeated parsing. By exhausting kernel resources, the attacker could force a denial‑of‑service condition over time. The risk is consequently moderate, and reliance on the patched kernel offers robust protection.