Description
In the Linux kernel, the following vulnerability has been resolved:

s390/cio: Fix device lifecycle handling in css_alloc_subchannel()

`css_alloc_subchannel()` calls `device_initialize()` before setting up
the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails,
the error path frees the subchannel structure directly, bypassing
the device model reference counting.

Once `device_initialize()` has been called, the embedded struct device
must be released via `put_device()`, allowing the release callback to
free the container structure.

Fix the error path by dropping the initial device reference with
`put_device()` instead of calling `kfree()` directly.

This ensures correct device lifetime handling and avoids potential
use-after-free or double-free issues.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The defect lies in the Linux kernel’s s390 Customer I/O subsystem: the function that allocates subchannels initializes the device before setting DMA masks. If the subsequent DMA calls fail, the routine frees the subchannel structure with a direct kernel free, leaking the device reference held by the kernel’s device model. This mis‑management can cause a use‑after‑free or double‑free condition, potentially leading to memory corruption or a kernel panic. The weakness is identified as CWE‑401 (Memory Leak) and CWE‑911 (Double Free).

Affected Systems

All Linux kernels running on the s390 architecture that have not incorporated the posted commit are affected. The patch applies to every unfixed s390 release, regardless of vendor or distribution customizations.

Risk and Exploitability

With a CVSS score of 5.5 and an EPSS score of less than 1%, the vulnerability falls into the medium severity band and is considered unlikely to be widely exploited today. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker requires local or privileged rights to trigger the subchannel allocation routine; the likely attack vector is a local privilege escalation using the system’s s390 subchannel allocation interface. If the failure path is executed, the resulting memory corruption or panic could provide kernel‑level execution opportunities, but the risk remains constrained to environments where the compromised API is reachable.

Generated by OpenCVE AI on June 18, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the kernel update that includes the proper device reference counting in css_alloc_subchannel(); this resolves the memory‑leak and double‑free path.
  • Limit the s390 subchannel allocation interface to users with root or CAP_SYS_ADMIN privileges, reducing the attack surface for local privilege escalation.
  • Continuously monitor kernel logs (via dmesg or syslog) for subchannel allocation failures or kernel panics; such events may signal an attempted exploitation of the defect.

Generated by OpenCVE AI on June 18, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
Ubuntu USN Ubuntu USN USN-8492-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8492-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8497-1 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-8498-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8499-1 Linux kernel (Xilinx) vulnerabilities
Ubuntu USN Ubuntu USN USN-8492-3 Linux kernel (Raspberry Pi Real-time) vulnerabilities
History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Mon, 01 Jun 2026 17:30:00 +0000


Thu, 28 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: s390/cio: Fix device lifecycle handling in css_alloc_subchannel() `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path frees the subchannel structure directly, bypassing the device model reference counting. Once `device_initialize()` has been called, the embedded struct device must be released via `put_device()`, allowing the release callback to free the container structure. Fix the error path by dropping the initial device reference with `put_device()` instead of calling `kfree()` directly. This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues.
Title s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-01T16:16:41.646Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45981

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:15.233

Modified: 2026-06-17T10:52:50.500

Link: CVE-2026-45981

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45981 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-911

    Improper Update of Reference Count