Description
In the Linux kernel, the following vulnerability has been resolved:

dm mpath: Add missing dm_put_device when failing to get scsi dh name

When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in
scsi_dh_attached_handler_name()") added code to fail parsing the path if
scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up
the reference to the path device that had just been taken. Fix this, and
steamline the error paths of parse_path() a little.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing reference release in the Linux kernel’s device mapper multipath (dm mpath) module caused a resource leak when the kernel failed to retrieve a SCSI device handler (scsi_dh) name with an out‑of‑memory error. The leak occurs because the module does not call dm_put_device() to drop the reference to the path device. Over time, repeated invocations can exhaust kernel memory or lead to system instability, potentially allowing an attacker to force a denial‑of‑service scenario.

Affected Systems

The vulnerability applies to Linux systems running the Linux kernel before the inclusion of commit fd81bc5cca8f. All distributions that ship the affected kernel version are impacted. No specific version range is provided in the CVE record, but any kernel lacking this commit is susceptible.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA KEV. The CVSS score is not published in this data set, so the exact severity is unknown. Because the flaw requires the kernel to parse a device path and the exploitable condition is triggered by a negative allocation error, the attack vector is likely local with elevated privileges. The risk to confidentiality or integrity is low; the primary risk is availability due to resource exhaustion.

Generated by OpenCVE AI on May 6, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit fd81bc5cca8f or later.
  • Restrict access to the device-mapper multipath interfaces to prevent untrusted users from triggering malformed path parsing.
  • Consider disabling multipath or enabling kernel hardening options such as CONFIG_HARDENED_USERCOPY to reduce the impact of memory leaks.

Generated by OpenCVE AI on May 6, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()") added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little.
Title dm mpath: Add missing dm_put_device when failing to get scsi dh name
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:01.182Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43192

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:38.083

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:45:07Z

Weaknesses