Description
In the Linux kernel, the following vulnerability has been resolved:

hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin

When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In nct7363_present_pwm_fanin, it does not release the reference,
causing a resource leak.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Linux kernel's hwmon driver for the nct7363 chipset causes a reference count leak when parsing device tree phandles. Each call to of_parse_phandle_with_args allocates a reference to a device node that is never released because of_node_put is omitted. Over time, repeated calls could exhaust kernel memory and driver resources, potentially leading to kernel instability or a denial of service. This issue falls under a resource exhaustion weakness, similar to CWE-401.

Affected Systems

Affected systems are any Linux distributions running a kernel that includes the nct7363 driver, as identified in the CPE string for the Linux kernel generic product. This includes all current Linux kernel releases that have not yet incorporated the fix, regardless of vendor distribution. Specific affected kernel versions are not listed, so any kernel lacking the upstream commit that fixes the leak is vulnerable.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score is unavailable and the vulnerability is not in CISA's KEV catalog. The vulnerability is a local kernel flaw that typically requires a process with elevated privileges or local access to trigger. An attacker with local access could repeatedly invoke the fan control path to drain resources. While not exploitable remotely, the potential for denial of service makes it a high‑priority issue for environments that rely on real‑time or mission‑critical Linux systems.

Generated by OpenCVE AI on May 6, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the upstream commit correcting the reference leak in the nct7363_present_pwm_fanin path.
  • Disable or remove the nct7363 driver if the chipset is not used, or limit fan control usage to avoid unnecessary calls that could trigger the leak until patching completes.
  • Monitor kernel memory usage and device node reference counts to detect abnormal growth patterns that may indicate lingering instances of the bug, and take remedial action such as restarting services or the system.

Generated by OpenCVE AI on May 6, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin When calling of_parse_phandle_with_args(), the caller is responsible to call of_node_put() to release the reference of device node. In nct7363_present_pwm_fanin, it does not release the reference, causing a resource leak.
Title hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:42.588Z

Reserved: 2026-05-01T14:12:55.990Z

Link: CVE-2026-43165

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:34.687

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T13:45:04Z

Weaknesses