CVE-2026-46030 - Vulnerability Details

- EDAC/versalnet: Fix device_node leak in mc_probe()

Description

In the Linux kernel, the following vulnerability has been resolved:

EDAC/versalnet: Fix device_node leak in mc_probe()

of_parse_phandle() returns a device_node reference that must be released with
of_node_put(). The original code never freed r5_core_node on any exit path,
causing a memory leak.

Fix this by using the automatic cleanup attribute __free(device_node) which
ensures of_node_put() is called when the variable goes out of scope.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a device_node reference returned by of_parse_phandle() is never freed in the EDAC/versalnet driver. The reference r5_core_node remains allocated on all exit paths, creating a memory leak. Over time, repeated invocations could accumulate unused memory, degrading system performance and potentially exhausting available memory, which may affect stability and availability.

Affected Systems

The vulnerability affects the Linux kernel, specifically the VersalNet EDAC driver that handles hardware error detection on Versal Net devices. Any system running a kernel build that contains this driver and does not include the patch will be susceptible.

Risk and Exploitability

There is no reported CVSS score, EPSS score, or KEV listing for this issue, indicating that the public exploitation data is currently lacking. The risk is primarily tied to internal usage: a long‑running device that loads and unloads this driver repeatedly could accumulate memory usage, but there is no known external attack vector or privilege escalation from the leak. Consequently, the exploitation likelihood is considered low and the impact is moderate, limited to resource exhaustion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984`	affected	< b6e61356ad24987be40bf25369d22dd8dd00a513
`d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984`	affected	< 17e136993b2b5111d1ee1c57bbd188ae0bb0e128
`d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984`	affected	< 5c709b376460ff322580c41600e31c02f7cc0307

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984,b6e61356ad24987be40bf25369d22dd8dd00a513)`	affected	code_commit	—
`[d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984,17e136993b2b5111d1ee1c57bbd188ae0bb0e128)`	affected	code_commit	—
`[d5fe2fec6c40dda03df8cc9b4a97de0b7e39f984,5c709b376460ff322580c41600e31c02f7cc0307)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that includes the mc_probe() memory leak fix
If a kernel update is not immediately available, apply the patch from the provided kernel commits (17e1369, 5c709b3, b6e6135) and rebuild the kernel
If the patch cannot be applied, disable the EDAC/versalnet driver or limit its use to prevent prolonged memory accumulation

Generated by OpenCVE AI on May 28, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00121.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/17e136993b2b5111d1ee1c57bbd188ae0bb0e128
https://git.kernel.org/stable/c/5c709b376460ff322580c41600e31c02f7cc0307
https://git.kernel.org/stable/c/b6e61356ad24987be40bf25369d22dd8dd00a513
https://lore.kernel.org/linux-cve-announce/2026052748-CVE-2026-46030-b18a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46030
https://www.cve.org/CVERecord?id=CVE-2026-46030

History

Tue, 16 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 28 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026052748-CVE-2026-46030-b18a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46030 https://www.cve.org/CVERecord?id=CVE-2026-46030

Wed, 27 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: EDAC/versalnet: Fix device_node leak in mc_probe() of_parse_phandle() returns a device_node reference that must be released with of_node_put(). The original code never freed r5_core_node on any exit path, causing a memory leak. Fix this by using the automatic cleanup attribute __free(device_node) which ensures of_node_put() is called when the variable goes out of scope.
Title		EDAC/versalnet: Fix device_node leak in mc_probe()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/17e136993b2b5111d1ee1c57bbd188ae0bb0e128 https://git.kernel.org/stable/c/5c709b376460ff322580c41600e31c02f7cc0307 https://git.kernel.org/stable/c/b6e61356ad24987be40bf25369d22dd8dd00a513

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:39.170Z

Updated: 2026-06-14T17:49:10.170Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46030

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:21.913

Modified: 2026-06-16T17:38:25.367

Link: CVE-2026-46030

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46030 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses

CWE-401
Missing Release of Memory after Effective Lifetime
CWE-911
Improper Update of Reference Count

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object