Description
In the Linux kernel, the following vulnerability has been resolved:

s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

`css_alloc_subchannel()` calls `device_initialize()` before setting up
the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails,
the error path frees the subchannel structure directly, bypassing
the device model reference counting.

Once `device_initialize()` has been called, the embedded struct device
must be released via `put_device()`, allowing the release callback to
free the container structure.

Fix the error path by dropping the initial device reference with
`put_device()` instead of calling `kfree()` directly.

This ensures correct device lifetime handling and avoids potential
use-after-free or double-free issues.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the Linux kernel’s s390 CIO subchannel allocation process originates from incorrect reference counting. css_alloc_subchannel() calls device_initialize() before setting up the DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel structure directly with kfree(), bypassing the device model reference counting. Once device_initialize() has been called, the embedded struct device must be released via put_device(), allowing the release callback to free the containing structure. The recent fix drops the initial device reference with put_device() on the error path. This change prevents improper memory deallocation that could lead to memory corruption or double‑free conditions, allowing a potential use of freed memory or kernel panic.

Affected Systems

Any Linux kernel running on the IBM s390 architecture that does not include the committed fix is affected. The buggy code resides in core kernel subsystems, so all s390 installations that use the default cio driver before the commit that added the put_device() fix are potentially vulnerable. No vendor‑specific version list is provided, but the flaw applies to all s390 kernels prior to the patch release.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is not available, placing the flaw in the medium severity range. The flaw is not listed in the CISA KEV catalog, indicating no known public exploits yet. Based on the description, it is inferred that attackers would need privileged or root access to invoke the subchannel allocation routine, limiting exposure to local users with elevated rights. Based on the description, it is inferred that an attacker who triggers the failure path could cause memory corruption or a kernel panic, potentially leading to kernel‑level code execution, representing a significant but constrained risk.

Generated by OpenCVE AI on May 28, 2026 at 04:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit fixing css_alloc_subchannel() (e.g. the patch referenced at https://git.kernel.org/stable/c/2b2ad7ad4a28ffdb9f94e6d979b88a5b12b71681).
  • If a kernel upgrade is delayed, limit the use of the s390 CIO allocation API so that only processes possessing CAP_SYS_ADMIN can request subchannel creation, reducing the attack surface for local users.
  • Continuously monitor kernel logs (dmesg, /var/log/kern.log, etc.) for messages related to subchannel allocation failures or kernel panics that might indicate exploitation attempts.

Generated by OpenCVE AI on May 28, 2026 at 04:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: s390/cio: Fix device lifecycle handling in css_alloc_subchannel() `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path frees the subchannel structure directly, bypassing the device model reference counting. Once `device_initialize()` has been called, the embedded struct device must be released via `put_device()`, allowing the release callback to free the container structure. Fix the error path by dropping the initial device reference with `put_device()` instead of calling `kfree()` directly. This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues.
Title s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:16:41.646Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45981

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:15.233

Modified: 2026-06-16T02:39:43.643

Link: CVE-2026-45981

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45981 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-911

    Improper Update of Reference Count