Description
In the Linux kernel, the following vulnerability has been resolved:

gpio: Fix resource leaks on errors in gpiochip_add_data_with_key()

Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"),
`gdev->dev.release` is unset. As a result, the reference count to
`gdev->dev` isn't dropped on the error handling paths.

Drop the reference on errors.

Also reorder the instructions to make the error handling simpler.
Now gpiochip_add_data_with_key() roughly looks like:

>>> Some memory allocation. Go to ERR ZONE 1 on errors.
>>> device_initialize().

gpiodev_release() takes over the responsibility for freeing the
resources of `gdev->dev`. The subsequent error handling paths
shouldn't go through ERR ZONE 1 again which leads to double free.

>>> Some initialization mainly on `gdev`.
>>> The rest of initialization. Go to ERR ZONE 2 on errors.
>>> Chip registration success and exit.

>>> ERR ZONE 2. gpio_device_put() and exit.
>>> ERR ZONE 1.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s GPIO subsystem causes the reference count on a device structure to remain unreleased when the gpiochip_add_data_with_key() function encounters an error. This mismanagement can lead to a resource leak or, in the worst case, a double free that corrupts kernel memory. The vulnerability does not provide a direct remote code execution path; it would require an attacker to be able to trigger the specific error handling path within the kernel, implying a local privilege escalation or root context is necessary for exploitation.

Affected Systems

The issue affects Linux kernel builds that omit the commit aab5c6f20023 which introduced proper release handling. Because the affected versions are not enumerated in the CVE payload, systems running any kernel that predates this commit are potentially at risk. Distributions that provide a patched kernel, even if the exact release is not specified, are considered protected.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, so quantitative risk estimates cannot be specified. Nonetheless, a double free in kernel code can trigger a panic or allow an attacker with sufficient privileges to alter kernel memory, so the risk is non‑negligible for affected systems. The lack of a publicly documented exploit reduces the current threat level, but the kernel crash potential warrants timely remediation.

Generated by OpenCVE AI on May 2, 2026 at 07:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the aab5c6f20023 commit (for example, the most recent stable release from the kernel maintainers).
  • If the distribution does not yet ship the updated kernel, apply the commit to the kernel source tree, rebuild the kernel, and install the patched image.
  • In environments where a kernel rebuild is not feasible, consider disabling or removing modules that load the faulty GPIO chip drivers to reduce the attack surface until a patch is available.

Generated by OpenCVE AI on May 2, 2026 at 07:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: gpio: Fix resource leaks on errors in gpiochip_add_data_with_key() Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"), `gdev->dev.release` is unset. As a result, the reference count to `gdev->dev` isn't dropped on the error handling paths. Drop the reference on errors. Also reorder the instructions to make the error handling simpler. Now gpiochip_add_data_with_key() roughly looks like: >>> Some memory allocation. Go to ERR ZONE 1 on errors. >>> device_initialize(). gpiodev_release() takes over the responsibility for freeing the resources of `gdev->dev`. The subsequent error handling paths shouldn't go through ERR ZONE 1 again which leads to double free. >>> Some initialization mainly on `gdev`. >>> The rest of initialization. Go to ERR ZONE 2 on errors. >>> Chip registration success and exit. >>> ERR ZONE 2. gpio_device_put() and exit. >>> ERR ZONE 1.
Title gpio: Fix resource leaks on errors in gpiochip_add_data_with_key()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:30.844Z

Reserved: 2026-03-09T15:48:24.137Z

Link: CVE-2026-31732

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.807

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31732

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31732 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:45:37Z

Weaknesses