Description
In the Linux kernel, the following vulnerability has been resolved:

media: chips-media: wave5: Fix memory leak on codec_info allocation failure

In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is
allocated via kzalloc(). If the subsequent allocation for inst->codec_info
fails, the functions return -ENOMEM without freeing the previously
allocated instance, causing a memory leak.

Fix this by calling kfree() on the instance in this error path to ensure
it is properly released.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s wave5 VPU driver causes a memory leak when the codec_info allocation fails during instance initialization. The previously allocated VPU instance is never freed, resulting in unreleased kernel memory that can accumulate over time. While this bug does not grant code execution, repeated failures can exhaust kernel memory and degrade system performance or trigger a kernel panic, effectively creating a denial‑of‑service condition. The weakness is a classic example of improper resource deallocation.

Affected Systems

The issue affects the Linux kernel component that implements the wave5 VPU driver. No specific kernel version range is provided, so any kernel where this driver has been built without the patch can be impacted.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. The attack vector is limited to paths that invoke the wave5 codec opening routines, which typically require a user or privileged context that calls the driver. The impact remains local to the affected host, but the lack of a memory cleanup can lead to resource exhaustion if the failure path is hit repeatedly. Because of the absence of a readily exploitable code path, the overall risk is considered moderate, with the primary concern being the potential for service degradation rather than immediate compromise.

Generated by OpenCVE AI on May 27, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the wave5 driver patch
  • If an official update is not yet available, apply the upstream patch that adds kfree() to the failure path and rebuild the kernel
  • After applying the patch or update, monitor VPU-related logs for recurrence of allocation failures to verify the memory leak has been corrected

Generated by OpenCVE AI on May 27, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix memory leak on codec_info allocation failure In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is allocated via kzalloc(). If the subsequent allocation for inst->codec_info fails, the functions return -ENOMEM without freeing the previously allocated instance, causing a memory leak. Fix this by calling kfree() on the instance in this error path to ensure it is properly released.
Title media: chips-media: wave5: Fix memory leak on codec_info allocation failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:47.075Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45928

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:08.707

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses