Description
In the Linux kernel, the following vulnerability has been resolved:

tee: shm: fix shm leak in register_shm_helper()

register_shm_helper() allocates shm before calling
iov_iter_npages(). If iov_iter_npages() returns 0, the function
jumps to err_ctx_put and leaks shm.

This can be triggered by TEE_IOC_SHM_REGISTER with
struct tee_ioctl_shm_register_data where length is 0.

Jump to err_free_shm instead.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel has a flaw in the register_shm_helper routine where shared memory is allocated before checking the number of pages. When the I/O vector page count returns zero, the code jumps to a cleanup path that fails to release the allocated memory, resulting in a memory leak. This deficiency can lead to gradual exhaustion of kernel memory, eventually causing system instability or a denial of service. The weakness is characterized by an unchecked allocation without proper deallocation, aligning with the CWE–401 Memory Leak identifier.

Affected Systems

The vulnerability affects all Linux kernel builds that include the register_shm_helper implementation without the recent git patch, regardless of specific distribution or version. Users of the TEE driver on any Linux kernel not yet updated to incorporate this fix are potentially impacted. No explicit version range is provided, so any kernel installation predating the commit is considered at risk.

Risk and Exploitability

An attacker can trigger the bug by issuing the TEE_IOC_SHM_REGISTER ioctl with a zero‐length request to the TEE driver, a capability typically limited to privileged or authenticated users. Repeated exploitation would progressively consume kernel memory, degrading performance and potentially leading to a crash or reboot. The vulnerability is not listed in the CISA KEV catalog and its EPSS score is currently unavailable, but the lack of a patch in the kernel implies a moderate to high exploitation risk for affected systems. Applying the kernel update that corrects the memory handling is the most effective countermeasure.

Generated by OpenCVE AI on June 25, 2026 at 11:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a revision that includes the register_shm_helper memory‑leak fix
  • Configure or audit the TEE driver so that it rejects or ignores register requests with a length of zero
  • Ensure that privileged users or processes are strictly limited to necessary TEE operations to reduce the opportunity for exploitation

Generated by OpenCVE AI on June 25, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in register_shm_helper() register_shm_helper() allocates shm before calling iov_iter_npages(). If iov_iter_npages() returns 0, the function jumps to err_ctx_put and leaks shm. This can be triggered by TEE_IOC_SHM_REGISTER with struct tee_ioctl_shm_register_data where length is 0. Jump to err_free_shm instead.
Title tee: shm: fix shm leak in register_shm_helper()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:15.569Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53210

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime