The flaw resides in the Linux kernel’s PWM subsystem. When a PWM chip is allocated via pwmchip_alloc(), the allocation creates a pwm_chip structure with an initial reference count that must be released on all error paths. If the subsequent __pinned_init() fails, the code returns without calling pwmchip_put(), leaving that reference unreleased. Each failure therefore leaks memory, and repeated failure events can cause the kernel memory usage to grow until the system becomes unstable or unresponsive. The vulnerability does not provide direct code execution, but it can lead to a denial‑of‑service condition through resource exhaustion.

The bug affects all Linux kernels that have not incorporated the patch commits shown in the advisory. No specific version constraints are published in the CVE record, so any system running a kernel version prior to the inclusion of the described fixes—identified in the commit logs—remains vulnerable. The issue applies to distributions that load the PWM subsystem, regardless of whether the kernel is running in user space or on embedded devices.

The impact is a classic resource‑management flaw (CWE‑772). The description indicates that the likely attack vector requires the attacker to trigger PWM chip initialization failures locally. No remote exploit path is described. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw can deplete kernel memory, the risk is moderate to high for systems that allow untrusted local users or services to allocate PWM chips. Successful exploitation would result in memory exhaustion and service interruption rather than direct code execution. The EPSS score of <1% indicates a very low probability of exploitation.