Impact
In the Linux kernel, the scsi:sd driver contains a resource management flaw where a missing put_disk() call leaves a gendisk reference after device_add(&disk_dev) fails. The unchecked reference can cause memory or resource leaks, which in turn may lead to system instability or a denial of service. The weakness is classified as CWE-772: Resource Management Errors.
Affected Systems
All versions of the Linux kernel before the commit that inserted the missing put_disk() call are affected. The product is the Linux kernel as a whole; affected vendors include Linux: Linux, and all distributions based on it. This includes kernel releases 5.15 and earlier, and any kernel running from 5.15‑rc3 through 5.15‑rc7 as listed in the CPE data.
Risk and Exploitability
The flaw is triggered in the kernel’s handling of SCSI device addition, which normally requires elevated privileges. The likely attack vector is forcing device_add(&disk_dev) to fail, for example by presenting a malformed or malicious SCSI device to the driver. The EPSS score (< 1%) indicates a very low probability of exploitation; the CVSS score of 5.5 indicates moderate severity. Since the vulnerability is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation. Local privileged attackers could repeatedly trigger the error path to consume resources or destabilize the system, but remote exploitation is not evident based on the existing description.
OpenCVE Enrichment
Debian DLA
Ubuntu USN