Description
In the Linux kernel, the following vulnerability has been resolved:

amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()

On failure to set the epp, the function amd_pstate_epp_cpu_init()
returns with an error code without freeing the cpudata object that was
allocated at the beginning of the function.

Ensure that the cpudata object is freed before returning from the
function.

This memory leak was discovered by Claude Opus 4.6 with the aid of
Chris Mason's AI review-prompts
(https://github.com/masoncl/review-prompts/tree/main/kernel).
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a memory leak in the Linux kernel’s amd‑pstate driver. When the function amd_pstate_epp_cpu_init() fails to set the Engine Power Profile, it allocates a cpudata structure but does not release it before returning an error. Over repeated failures the unfreed kernel memory can accumulate, potentially exhausting system memory, degrading performance, or even triggering a kernel panic. The official description states this leakage but does not describe an immediate denial of service; the effect is inferred as it could eventually lead to instability.

Affected Systems

All Linux kernel images that contain the amd‑pstate driver code before the commit that implements the free operation are potentially affected. Because no specific version ranges are published, any distribution using a kernel that predates the fix may be vulnerable. Administrators should verify whether their kernel contains the vulnerable code path by checking for the commit hash indicated in the references.

Risk and Exploitability

The CVSS score is 5.5, the EPSS score is < 1%, and KEV is not listed. Exploitation would require use of the EPP interface, but the privilege level needed is not specified in the input; it is inferred that modifying the EPP likely requires elevated privileges such as root or a capability that allows writing to sysfs entries. Coupled with the lack of a remote exploitation vector, the primary risk lies in local or privileged attackers repeatedly invoking the failing path, which could lead to memory exhaustion.

Generated by OpenCVE AI on June 27, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that includes the patch referenced in the commit logs.
  • If an update is not possible, disable the amd‑pstate driver by booting with the kernel parameter "amd_pstate=disable" or removing the module from the system.
  • Restrict access to the EPP interface by adjusting permissions on relevant sysfs entries or enforcing SELinux policies to limit write access to trusted users.

Generated by OpenCVE AI on June 27, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init() On failure to set the epp, the function amd_pstate_epp_cpu_init() returns with an error code without freeing the cpudata object that was allocated at the beginning of the function. Ensure that the cpudata object is freed before returning from the function. This memory leak was discovered by Claude Opus 4.6 with the aid of Chris Mason's AI review-prompts (https://github.com/masoncl/review-prompts/tree/main/kernel).
Title amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:51.294Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53121

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53121 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:30:10Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime