Description
In the Linux kernel, the following vulnerability has been resolved:

fbdev: vt8500lcdfb: fix missing dma_free_coherent()

fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not
freed if the error path is reached.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel framebuffer driver vt8500lcdfb allocates a screen buffer with dma_alloc_coherent() but fails to release it when an error occurs during initialization. This oversight causes a kernel‑level memory leak that persists until the driver is reloaded or the system reboots. The flaw does not expose an easy path to code execution, privilege escalation, or data disclosure; its primary effect is the gradual consumption of kernel memory, which over time could degrade performance or contribute to a denial‑of‑service. The weakness is consistent with CWE‑772, an improper release of resources.

Affected Systems

Any Linux kernel build that includes the vt8500lcdfb framebuffer module and has not yet incorporated the upstream fix is susceptible. No specific kernel version numbers are enumerated, so all distributions, custom images, or unpatched custom kernels that load this driver remain at risk until the patch is applied.

Risk and Exploitability

The EPSS score for this vulnerability is below 1% and it is not listed in the CISA KEV catalog, indicating low current exploitation activity. The CVSS score of 5.5 reflects moderate severity. The likely attack vector is local, requiring the ability to load or force the vt8500lcdfb module and trigger its initialization failure. Because the leak is incremental, the risk is low‑moderate; an attacker could potentially accelerate resource exhaustion over extended operation, but immediate impact from unauthorized access is unlikely.

Generated by OpenCVE AI on May 11, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that incorporates the vt8500lcdfb patch.
  • If a custom or earlier kernel is in use, cherry‑pick or apply the upstream commit that adds dma_free_coherent() to the error path.
  • As a temporary measure, unload or blacklist the vt8500lcdfb framebuffer module until a patched kernel is available.

Generated by OpenCVE AI on May 11, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Wed, 06 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbdev: vt8500lcdfb: fix missing dma_free_coherent() fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not freed if the error path is reached.
Title fbdev: vt8500lcdfb: fix missing dma_free_coherent()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:57.436Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43202

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:39.347

Modified: 2026-05-11T20:10:35.477

Link: CVE-2026-43202

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43202 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses