Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails

If device_add(&sdkp->disk_dev) fails, put_device() runs
scsi_disk_release(), which frees the scsi_disk but leaves the gendisk
referenced. The device_add_disk() error path in sd_probe() calls
put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a flaw in the SCSI disk subsystem where a missing put_disk() call leaves a gendisk structure referenced after device_add(&disk_dev) fails. This creates a memory leak or dangling reference that can cause resource exhaustion or system instability if repeated over time. The vulnerability is a kernel‑level bug that can lead to denial of service by corrupting internal disk management structures.

Affected Systems

All Linux kernel releases are affected because the issue is present in the core SCSI disk driver. No specific kernel version range is provided, so administrators should treat every kernel prior to the commit that added the missing put_disk() as vulnerable.

Risk and Exploitability

The exploit requires interaction with the kernel during device addition, which is normally a privileged operation performed by the system when a SCSI disk is accessed or inserted. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is not provided. However, because the flaw is local to kernel operations and can lead to resource exhaustion, the overall risk is moderate; an attacker with local privileged access could repeatedly trigger the error path to deplete memory or crash the system.

Generated by OpenCVE AI on May 27, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit adding the missing put_disk() call in the SCSI disk driver.
  • Verify that the system no longer reports device_add failures in kernel logs and that SCSI disk initialization completes successfully.
  • If an immediate upgrade is not possible, reduce the frequency of SCSI device additions or disable automatic device probes for untrusted devices to limit the impact of the bug.

Generated by OpenCVE AI on May 27, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Title scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:55:51.154Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45997

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:17.280

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:15:38Z

Weaknesses

No weakness.