CVE-2026-45888 - Vulnerability Details

- md/raid1: fix memory leak in raid1_run()

Description

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: fix memory leak in raid1_run()

raid1_run() calls setup_conf() which registers a thread via
md_register_thread(). If raid1_set_limits() fails, the previously
registered thread is not unregistered, resulting in a memory leak
of the md_thread structure and the thread resource itself.

Add md_unregister_thread() to the error path to properly cleanup
the thread, which aligns with the error handling logic of other paths
in this function.

Compile tested only. Issue found using a prototype static analysis tool
and code review.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The kernel’s RAID1 subsystem has a flaw where the function raid1_run() registers a thread and, if a subsequent limit setting fails, does not deregister that thread. The unreleased md_thread structure and thread resource remain in memory, creating a leak that can grow with repeated errors and eventually exhaust system memory or thread tables. The vulnerability does not directly grant an attacker access or execution capability, but it can degrade availability by affecting system stability when trigger conditions occur.

Affected Systems

All Linux kernel releases that include the unpatched md/raid1 code are affected. The issue was identified before the commit that fixed the leak, so any kernel built from the recommended source trees lacking the patch is vulnerable. No specific version list is supplied; rather, any kernel that contains the original raid1_run() implementation without the cleanup logic is impacted.

Risk and Exploitability

The CVSS score, EPSS score, and KEV status are not available, and the vulnerability is not listed in CISA KEV. The risk assessment therefore relies on the nature of the flaw: a memory leak can lead to resource exhaustion, but exploitation requires conditions that cause raid1_set_limits() to fail repeatedly. This likely demands local or privileged access, and no public exploit is known. Consequently, the overall risk is moderate to low, pending further details about the failure trigger frequency in production workloads.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`97894f7d3c2966164516a8a5109674763d3a55e1`	affected	< c94fd6e8a71efd047ff36930e840f3c25679e136
`97894f7d3c2966164516a8a5109674763d3a55e1`	affected	< ec10e3dc93994b87adf7c759a4639fe34013989a
`97894f7d3c2966164516a8a5109674763d3a55e1`	affected	< b37588b0282a2b3cdda9db1d53712745ce66dea0
`97894f7d3c2966164516a8a5109674763d3a55e1`	affected	< 6abc7d5dcf0ee0f85e16e41c87fbd06231f28753

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[97894f7d3c2966164516a8a5109674763d3a55e1,c94fd6e8a71efd047ff36930e840f3c25679e136)`	affected	code_commit	—
`[97894f7d3c2966164516a8a5109674763d3a55e1,ec10e3dc93994b87adf7c759a4639fe34013989a)`	affected	code_commit	—
`[97894f7d3c2966164516a8a5109674763d3a55e1,b37588b0282a2b3cdda9db1d53712745ce66dea0)`	affected	code_commit	—
`[97894f7d3c2966164516a8a5109674763d3a55e1,6abc7d5dcf0ee0f85e16e41c87fbd06231f28753)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that incorporates the commit resolving this leak; use distribution security updates or apply the patch from the official git repository.
If an immediate kernel upgrade is not possible, consider disabling or limiting the use of RAID1 devices to reduce the likelihood of the error path being exercised.
Regularly monitor system memory and thread usage for signs of a leak when RAID1 is in use, and apply the kernel update as soon as it becomes available.

Generated by OpenCVE AI on May 27, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6abc7d5dcf0ee0f85e16e41c87fbd06231f28753
https://git.kernel.org/stable/c/b37588b0282a2b3cdda9db1d53712745ce66dea0
https://git.kernel.org/stable/c/c94fd6e8a71efd047ff36930e840f3c25679e136
https://git.kernel.org/stable/c/ec10e3dc93994b87adf7c759a4639fe34013989a

History

Wed, 27 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400 CWE-401

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: md/raid1: fix memory leak in raid1_run() raid1_run() calls setup_conf() which registers a thread via md_register_thread(). If raid1_set_limits() fails, the previously registered thread is not unregistered, resulting in a memory leak of the md_thread structure and the thread resource itself. Add md_unregister_thread() to the error path to properly cleanup the thread, which aligns with the error handling logic of other paths in this function. Compile tested only. Issue found using a prototype static analysis tool and code review.
Title		md/raid1: fix memory leak in raid1_run()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6abc7d5dcf0ee0f85e16e41c87fbd06231f28753 https://git.kernel.org/stable/c/b37588b0282a2b3cdda9db1d53712745ce66dea0 https://git.kernel.org/stable/c/c94fd6e8a71efd047ff36930e840f3c25679e136 https://git.kernel.org/stable/c/ec10e3dc93994b87adf7c759a4639fe34013989a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:16:59.751Z

Updated: 2026-05-27T12:16:59.751Z

Reserved: 2026-05-13T15:03:33.082Z

Link: CVE-2026-45888

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:02.813

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45888

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object