CVE-2026-43004 - Vulnerability Details

- spi: stm32-ospi: Fix resource leak in remove() callback

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: stm32-ospi: Fix resource leak in remove() callback

The remove() callback returned early if pm_runtime_resume_and_get()
failed, skipping the cleanup of spi controller and other resources.

Remove the early return so cleanup completes regardless of PM resume
result.

Published: 2026-05-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The stm32‑ospi driver contains a resource management flaw (CWE‑772) where its remove() callback exits prematurely if a power‑management resume request fails. This prevents the driver from releasing internal resources, creating a hidden memory or resource leak in the Linux kernel. Repeatedly unloading and reloading the driver could gradually deplete system resources, degrading performance or causing a denial of service. The issue is a kernel‑level flaw; exploitation requires control over the driver lifecycle and therefore elevated privileges. The only known mitigation is the upstream patch that removes the early return, ensuring cleanup runs regardless of resume success.

Affected Systems

The vulnerability affects any system running a Linux kernel that includes the stm32‑ospi driver. Exact kernel versions are not listed, but the problem is present in kernels prior to the patch commit. It is relevant to embedded devices, development boards, or custom kernels that use the STM32 OSPi peripheral controller.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate severity, and the EPSS score of less than 1% reflects a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The risk to a defender is moderate to high if the driver is frequently unloaded and reloaded in a compromised environment. The attack vector is inferred to be local with root or module‑loader privileges; no public exploits are documented. Mitigation is driven by applying the upstream patch rather than relying on the low probability of exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`79b8a705e26c08f8f09dd55f1dd56f2375973d2d`	affected	< b4ec54c974c6ea68b309989dcc3d3511068f45f3
`79b8a705e26c08f8f09dd55f1dd56f2375973d2d`	affected	< 0807532c5ebb72751bfe773e6ae79db0e9c57ab9
`79b8a705e26c08f8f09dd55f1dd56f2375973d2d`	affected	< 73cd1f97946ae3796544448ff12c07f399bb2881

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[79b8a705e26c08f8f09dd55f1dd56f2375973d2d,b4ec54c974c6ea68b309989dcc3d3511068f45f3)`	affected	code_commit	—
`[79b8a705e26c08f8f09dd55f1dd56f2375973d2d,0807532c5ebb72751bfe773e6ae79db0e9c57ab9)`	affected	code_commit	—
`[79b8a705e26c08f8f09dd55f1dd56f2375973d2d,73cd1f97946ae3796544448ff12c07f399bb2881)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that contains the stm32‑ospi patch (commit 0807532c5ebb7… which removes the early return in remove()).
If an immediate kernel upgrade is not possible, temporarily unload the stm32‑ospi module and avoid operations that trigger its removal until the patch is applied, to prevent resource leakage.
After applying the patch, monitor system memory and driver activity for any abnormal resource retention.

Generated by OpenCVE AI on May 12, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0807532c5ebb72751bfe773e6ae79db0e9c57ab9
https://git.kernel.org/stable/c/73cd1f97946ae3796544448ff12c07f399bb2881
https://git.kernel.org/stable/c/b4ec54c974c6ea68b309989dcc3d3511068f45f3
https://lore.kernel.org/linux-cve-announce/2026050153-CVE-2026-43004-13b2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43004
https://www.cve.org/CVERecord?id=CVE-2026-43004

History

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026050153-CVE-2026-43004-13b2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43004 https://www.cve.org/CVERecord?id=CVE-2026-43004

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fix resource leak in remove() callback The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes regardless of PM resume result.
Title		spi: stm32-ospi: Fix resource leak in remove() callback
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0807532c5ebb72751bfe773e6ae79db0e9c57ab9 https://git.kernel.org/stable/c/73cd1f97946ae3796544448ff12c07f399bb2881 https://git.kernel.org/stable/c/b4ec54c974c6ea68b309989dcc3d3511068f45f3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:12.032Z

Updated: 2026-05-11T22:15:50.593Z

Reserved: 2026-05-01T14:12:55.973Z

Link: CVE-2026-43004

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-01T15:16:44.237

Modified: 2026-05-12T18:06:12.783

Link: CVE-2026-43004

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43004 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object