Description
In the Linux kernel, the following vulnerability has been resolved:

fbdev: of: display_timing: fix refcount leak in of_get_display_timings()

of_parse_phandle() returns a device_node with refcount incremented,
which is stored in 'entry' and then copied to 'native_mode'. When the
error paths at lines 184 or 192 jump to 'entryfail', native_mode's
refcount is not decremented, causing a refcount leak.

Fix this by changing the goto target from 'entryfail' to 'timingfail',
which properly calls of_node_put(native_mode) before cleanup.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the fbdev subsystem of the Linux kernel, where the function of_parse_phandle() increases the reference count of a device node that is later copied into native_mode. On certain error paths, the reference to native_mode is never released, causing a refcount leak. This improper reclamation can lead to gradual kernel memory exhaustion or a crash if the leak is exploited repeatedly. The weakness corresponds to CWE‑911 (Missing Reference Count Decrement) and has also been classified as NVD-CWE-Other.

Affected Systems

All configurations of the Linux kernel that include the fbdev subsystem with the legacy display‑timing handling code are affected. Any kernel build that predates the commit that introduces the fix (identified by hash 20881ad4) remains vulnerable. Vendor‑specific information is not provided, so the risk applies to all distributions that ship the affected kernel code without the update.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, and the EPSS score is noted as < 1%, meaning the probability of exploitation is low. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker would need local kernel privileges to trigger the faulty code path, such as loading a malicious kernel module or invoking an operation that causes display‑timing parsing. Once the reference count leaks, repeated invocations could deplete kernel memory or destabilize the system, effectively denying service. The need for privileged access and the low exploitation probability reduce the likelihood of widespread attack.

Generated by OpenCVE AI on May 8, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that contains commit 20881ad4, which corrects the reference count handling in the fbdev display timing code.
  • If a custom kernel cannot be updated immediately, apply the patch that changes the error handling from entryfail to timingfail, ensuring that of_node_put(native_mode) is called before cleanup.
  • Reboot the system after applying the patch or updating the kernel to ensure the corrected driver is loaded and that no errant reference counts remain in use.

Generated by OpenCVE AI on May 8, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Fri, 08 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other

Thu, 07 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup.
Title fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:11.841Z

Reserved: 2026-05-01T14:12:55.997Z

Link: CVE-2026-43264

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:47.373

Modified: 2026-05-08T20:33:27.567

Link: CVE-2026-43264

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43264 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses