Description
In the Linux kernel, the following vulnerability has been resolved:

PCI: hv: Fix double ida_free in hv_pci_probe error path

If hv_pci_probe() fails after storing the domain number in
hbus->bridge->domain_nr, there is a call to free this domain_nr via
pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge
release callback pci_release_host_bridge_dev() also frees the domain_nr
causing ida_free to be called on same ID twice and triggering following
warning:

ida_free called for id=28971 which is not allocated.
WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198
Call Trace:
pci_bus_release_emul_domain_nr+0x17/0x20
pci_release_host_bridge_dev+0x4b/0x60
device_release+0x3b/0xa0
kobject_put+0x8e/0x220
devm_pci_alloc_host_bridge_release+0xe/0x20
devres_release_all+0x9a/0xd0
device_unbind_cleanup+0x12/0xa0
really_probe+0x1c5/0x3f0
vmbus_add_channel_work+0x135/0x1a0

Fix this by letting pci core handle the free domain_nr and remove
the explicit free called in pci-hyperv driver.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises when the hv_pci_probe function fails after allocating a PCI emulation domain number. The error path frees the domain number twice—once explicitly in the driver and once through the PCI core release callback—resulting in a double free and a kernel warning. The double free does not immediately expose user data, but it can corrupt internal allocation tables, trigger kernel panics, or lead to resource exhaustion, effectively causing a denial‑of‑service condition for the kernel host. The weakness is a classic double‑free vulnerability (CWE‑414).

Affected Systems

The issue is limited to the Linux kernel’s hypervisor PCI driver. It affects all platforms running Linux kernels that include the hv_pci_probe implementation without the recent patch. The vulnerability is specific to the hyperv PCI bridge handling and has been addressed in newer kernel releases as part of the patch that removes the explicit ida_free call.

Risk and Exploitability

The risk is moderate from an availability standpoint. While immediate remote exploitation appears unlikely, the lack of a safeguard against repeated ida_free calls can culminate in kernel instability. An attacker could create conditions that repeatedly cause hv_pci_probe failures, thereby exhausting domain numbers or triggering repeated kernel warnings that may eventually lead to a system crash. The vulnerability is not yet flagged as a known exploited flaw, but it merits timely remediation to avoid potential denial of service in environments that use hyperv PCI bridging.

Generated by OpenCVE AI on May 6, 2026 at 12:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch removing the double ida_free call (“hv_pci_probe error path” fix).
  • If an immediate kernel upgrade is not possible, download and apply the two commits (21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48 and b6422dff0e518245019233432b6bccfc30b73e2f) manually to the kernel source and rebuild the kernel.
  • After applying the patch, monitor kernel logs for any remaining ida_free warnings and verify that the domain number is no longer freed twice during PCI device failure scenarios.

Generated by OpenCVE AI on May 6, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-414

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: PCI: hv: Fix double ida_free in hv_pci_probe error path If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning: ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0 Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver.
Title PCI: hv: Fix double ida_free in hv_pci_probe error path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:28.157Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43097

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:23.137

Modified: 2026-05-06T10:16:23.137

Link: CVE-2026-43097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses