The vulnerability in the Linux kernel causes a reference count leak each time the pcs_add_gpio_func() function processes a GPIO-related device tree entry. Because of_node_put() calls were omitted, every parsed phandle increments the reference count without a matching decrement, leading to a gradual increase in reference counts for device nodes. Over time, this can exhaust kernel memory resources or affect device node handling, resulting in unpredictable kernel behavior or a denial‑of‑service state if the leaks accumulate far enough. The weakness is a classic example of uncontrolled resource consumption, specifically a reference count mismanagement.

This flaw affects the Linux kernel itself across all versions shipped before the fixed commit, regardless of distribution. Any system that loads device tree nodes processed by pcs_add_gpio_func() is potentially impacted, encompassing a wide range of embedded and server platforms that rely on the pinctrl subsystem.

No EPSS data is available, and the vulnerability is not listed in CISA KEV, indicating no confirmed public exploits. The CVSS score is not provided, so the technical severity cannot be quantified here. The likely attack vector is local, requiring an attacker to influence the kernel's device tree parsing—such as by installing malicious hardware or firmware that includes crafted phandle entries, or through privileged execution on the host. Given the lack of public exploitation and a local execution dependency, the exploitability is considered low to moderate, but the potential for resource exhaustion warrants prompt remediation.