A bug in the Linux kernel regulator driver for the bq257xx series introduces a reference‑counting error when parsing device‑tree GPIO nodes. In bq257xx_reg_dt_parse_gpio(), an early return caused by a missing subchild omits a call to of_node_put(child), leaking an object reference. The resulting leak accumulates with repeated device‑tree scans and is classified under CWE‑772. While the CVSS score of 5.5 indicates moderate severity, the flaw could, over time, exhaust kernel memory and lead to a denial‑of‑service condition.

The vulnerability is present in any Linux kernel that includes the bq257xx regulator source without the patch that restores proper of_node_put handling. According to the CPE data, affected versions include 6.18 and all 7.0 release candidates up to rc7. Any distribution or embedded platform that builds the kernel from those sources without applying the commit is at risk.

The EPSS score of less than 1% and the absence of a CISA KEV listing suggest a low probability of widespread exploitation. However, exploitation would require an attacker to trigger the vulnerable code path, which likely necessitates local or privileged access to modify firmware or supply a crafted device tree entry. Because the description does not detail an attack vector, it is inferred that local attacker controls are needed to realize the resource‑exhaustion impact.