Description
In the Linux kernel, the following vulnerability has been resolved:

scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails

If device_add(&sdkp->disk_dev) fails, put_device() runs
scsi_disk_release(), which frees the scsi_disk but leaves the gendisk
referenced. The device_add_disk() error path in sd_probe() calls
put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the scsi:sd driver contains a resource management flaw where a missing put_disk() call leaves a gendisk reference after device_add(&disk_dev) fails. The unchecked reference can cause memory or resource leaks, which in turn may lead to system instability or a denial of service. The weakness is classified as CWE-772: Resource Management Errors.

Affected Systems

All versions of the Linux kernel before the commit that inserted the missing put_disk() call are affected. The product is the Linux kernel as a whole; affected vendors include Linux: Linux, and all distributions based on it. This includes kernel releases 5.15 and earlier, and any kernel running from 5.15‑rc3 through 5.15‑rc7 as listed in the CPE data.

Risk and Exploitability

The flaw is triggered in the kernel’s handling of SCSI device addition, which normally requires elevated privileges. The likely attack vector is forcing device_add(&disk_dev) to fail, for example by presenting a malformed or malicious SCSI device to the driver. The EPSS score (< 1%) indicates a very low probability of exploitation; the CVSS score of 5.5 indicates moderate severity. Since the vulnerability is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation. Local privileged attackers could repeatedly trigger the error path to consume resources or destabilize the system, but remote exploitation is not evident based on the existing description.

Generated by OpenCVE AI on June 18, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds the missing put_disk() call in the sd_probe() function.
  • Reboot or reload the kernel module to activate the patch immediately.
  • If an update cannot be applied right away, restrict the addition of new SCSI devices or disable auto‑probing of untrusted devices to reduce the risk of triggering the bug.

Generated by OpenCVE AI on June 18, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
Ubuntu USN Ubuntu USN USN-8488-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8489-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8488-2 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8507-1 Linux kernel (NVIDIA) vulnerabilities
History

Tue, 16 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc7:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000


Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Title scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:03.622Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45997

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:17.280

Modified: 2026-06-17T10:52:52.240

Link: CVE-2026-45997

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45997 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:15:15Z

Weaknesses