CVE-2026-43105 - Vulnerability Details

- drm/vc4: Fix memory leak of BO array in hang state

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/vc4: Fix memory leak of BO array in hang state

The hang state's BO array is allocated separately with kzalloc() in
vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the
missing kfree() for the BO array before freeing the hang state struct.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability resides in the Linux kernel’s drm/vc4 driver and results in a memory leak of the BO array during a hang state. The array is allocated with kzalloc() but never freed, allowing an attacker or benign usage pattern to accumulate unreclaimed memory over time. If the leak is exercised repeatedly, it could deplete system memory, potentially causing kernel panics or severely degraded performance, thus representing a denial‑of‑service risk. The Weakness Category is Memory Leak (CWE‑401).

Affected Systems

All Linux kernel builds that include the drm/vc4 driver are affected. No specific kernel versions were listed in the advisory, so any system running the driver before the described patch is potentially vulnerable.

Risk and Exploitability

The vulnerability does not have an associated EPSS score or CVSS vector in the advisory, and it is not listed in the CISA KEV catalog. Exploitation would require triggering the hang state or similar error condition that causes the BO array to be allocated. Because the condition involves normal kernel driver operation, the likelihood is uncertain but not negligible, especially on systems with heavy GPU or DRM usage. Overall risk is moderate, with potential for a DoS outcome if the leak is repeatedly exercised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`214613656b5179f0daab6e0a080814b5100d45f0`	affected	< a812008fe3a0aebb778d277b35717f64e23d0302
`214613656b5179f0daab6e0a080814b5100d45f0`	affected	< 0d3c014a84396a147705f523a8fd6fc873e76502
`214613656b5179f0daab6e0a080814b5100d45f0`	affected	< 421cea4f71f7cf65abaae878562ee4aa2b684628
`214613656b5179f0daab6e0a080814b5100d45f0`	affected	< b8138567c4a80fd76a647849ebd4284996cf4b17
`214613656b5179f0daab6e0a080814b5100d45f0`	affected	< f4dfd6847b3e5d24e336bca6057485116d17aea4

Linux

affected

Version	Status	Constraints
`4.5`	affected	—
`0`	unaffected	< 4.5
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the vc4_free_hang_state kfree() fix. The patch is bundled in recent Linux kernel releases; verify that the running kernel contains commit 0d3c014a8.
If an update is not possible, monitor for driver hang events and consider disabling or restricting the drm/vc4 device until a patch can be applied.
In environments where a quick fix is required, apply a local backport of the kfree() change to the kernel source and rebuild the kernel.

Generated by OpenCVE AI on May 6, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0d3c014a84396a147705f523a8fd6fc873e76502
https://git.kernel.org/stable/c/421cea4f71f7cf65abaae878562ee4aa2b684628
https://git.kernel.org/stable/c/a812008fe3a0aebb778d277b35717f64e23d0302
https://git.kernel.org/stable/c/b8138567c4a80fd76a647849ebd4284996cf4b17
https://git.kernel.org/stable/c/f4dfd6847b3e5d24e336bca6057485116d17aea4

History

Wed, 06 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix memory leak of BO array in hang state The hang state's BO array is allocated separately with kzalloc() in vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the missing kfree() for the BO array before freeing the hang state struct.
Title		drm/vc4: Fix memory leak of BO array in hang state
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0d3c014a84396a147705f523a8fd6fc873e76502 https://git.kernel.org/stable/c/421cea4f71f7cf65abaae878562ee4aa2b684628 https://git.kernel.org/stable/c/a812008fe3a0aebb778d277b35717f64e23d0302 https://git.kernel.org/stable/c/b8138567c4a80fd76a647849ebd4284996cf4b17 https://git.kernel.org/stable/c/f4dfd6847b3e5d24e336bca6057485116d17aea4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:33.706Z

Updated: 2026-05-06T07:40:33.706Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43105

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T10:16:24.097

Modified: 2026-05-06T10:16:24.097

Link: CVE-2026-43105

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses

CWE-401

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object