CVE-2026-43231 - Vulnerability Details

- media: radio-keene: fix memory leak in error path

Description

In the Linux kernel, the following vulnerability has been resolved:

media: radio-keene: fix memory leak in error path

Fix a memory leak in usb_keene_probe(). The v4l2 control handler is
initialized and controls are added, but if v4l2_device_register() or
video_register_device() fails afterward, the handler was never freed,
leaking memory.

Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure
the control handler is properly freed for all error paths after it is
initialized.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a memory leak in the Linux kernel’s radio-keene driver, occurring when the usb_keene_probe() function initializes the v4l2 control handler but later fails during device registration. The control handler is never freed in that error path, causing memory consumption to accumulate with each failure. This is a CWE-772 (Unreleased Resource) and CWE-401 (Memory Leak), and if an attacker can repeatedly trigger this failure the kernel could exhaust available memory, leading to a denial‑of‑service condition. No evidence indicates that the flaw permits arbitrary code execution or direct data disclosure.

Affected Systems

All Linux operating systems that include the radio‑keene driver in the kernel are affected, regardless of distribution or version, until the patch is applied. The vulnerability is present in any kernel that contains the unsupported driver and could impact embedded devices, servers, or desktops using compatible USB radio hardware.

Risk and Exploitability

The CVSS score is 5.5; EPSS score is <1%, reflecting a very low probability of exploitation, and the issue is not listed in CISA KEV. The memory leak presents a moderate to high risk of DoS if an attacker can supply a malicious USB device that repeatedly triggers the probe failure. The most likely attack vector is local via USB hardware insertion; however, masquerading a device as a legitimate radio peripheral could also allow the exploitation. Because the flaw does not grant direct code execution, the immediate threat is limited to service availability rather than full system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< ad85bb5623079a35bd400f51de2e2fbc2170bdb2
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< 242b0aabb1866024a7995a767ac330c158b39aa4
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< 2fe28a63d598235595a9601e0d8fdc7c8f4fd575
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< 27c508f61963013fdf29097578284099ee7a85a4
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< 7fa9754f48cb8eefa566156be341e63d313247e5
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< 1d8558a232ecb187e8e0328d6347a125f437a0fc
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< de204d87e7d61859937272fe30cbdd46a4cfb10a
`1bf20c3a0c616f44359c573b533d06bae960ee45`	affected	< b8bf939d77c0cd01118e953bbf554e0fa15e9006

Linux

affected

Version	Status	Constraints
`3.4`	affected	—
`0`	unaffected	< 3.4
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1bf20c3a0c616f44359c573b533d06bae960ee45,ad85bb5623079a35bd400f51de2e2fbc2170bdb2)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,242b0aabb1866024a7995a767ac330c158b39aa4)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,2fe28a63d598235595a9601e0d8fdc7c8f4fd575)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,27c508f61963013fdf29097578284099ee7a85a4)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,7fa9754f48cb8eefa566156be341e63d313247e5)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,1d8558a232ecb187e8e0328d6347a125f437a0fc)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,de204d87e7d61859937272fe30cbdd46a4cfb10a)`	affected	code_commit	—
`[1bf20c3a0c616f44359c573b533d06bae960ee45,b8bf939d77c0cd01118e953bbf554e0fa15e9006)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.4`	affected	semver	—
`[0,3.4)`	unaffected	generic	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the radio-keene memory‑leak fix.
If an update is not yet available, prevent the driver from loading by blacklisting the module or disabling it in the system configuration.
Reduce exposure by disabling or filtering the USB ports that could introduce compatible radio devices, thereby avoiding the probe failure path.

Generated by OpenCVE AI on May 8, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1d8558a232ecb187e8e0328d6347a125f437a0fc
https://git.kernel.org/stable/c/242b0aabb1866024a7995a767ac330c158b39aa4
https://git.kernel.org/stable/c/27c508f61963013fdf29097578284099ee7a85a4
https://git.kernel.org/stable/c/2fe28a63d598235595a9601e0d8fdc7c8f4fd575
https://git.kernel.org/stable/c/7fa9754f48cb8eefa566156be341e63d313247e5
https://git.kernel.org/stable/c/ad85bb5623079a35bd400f51de2e2fbc2170bdb2
https://git.kernel.org/stable/c/b8bf939d77c0cd01118e953bbf554e0fa15e9006
https://git.kernel.org/stable/c/de204d87e7d61859937272fe30cbdd46a4cfb10a
https://lore.kernel.org/linux-cve-announce/2026050656-CVE-2026-43231-6c4b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43231
https://www.cve.org/CVERecord?id=CVE-2026-43231

History

Fri, 08 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 08 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Fri, 08 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026050656-CVE-2026-43231-6c4b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43231 https://www.cve.org/CVERecord?id=CVE-2026-43231

Wed, 06 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized.
Title		media: radio-keene: fix memory leak in error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1d8558a232ecb187e8e0328d6347a125f437a0fc https://git.kernel.org/stable/c/242b0aabb1866024a7995a767ac330c158b39aa4 https://git.kernel.org/stable/c/27c508f61963013fdf29097578284099ee7a85a4 https://git.kernel.org/stable/c/2fe28a63d598235595a9601e0d8fdc7c8f4fd575 https://git.kernel.org/stable/c/7fa9754f48cb8eefa566156be341e63d313247e5 https://git.kernel.org/stable/c/ad85bb5623079a35bd400f51de2e2fbc2170bdb2 https://git.kernel.org/stable/c/b8bf939d77c0cd01118e953bbf554e0fa15e9006 https://git.kernel.org/stable/c/de204d87e7d61859937272fe30cbdd46a4cfb10a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:28.268Z

Updated: 2026-05-11T22:20:32.379Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43231

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:43.083

Modified: 2026-05-08T21:09:10.137

Link: CVE-2026-43231

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43231 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T22:45:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object