Impact
The Linux kernel devlink subsystem contains a memory‑leak flaw that occurs when a child devlink instance is linked to a parent before the parent is registered and the child’s probe subsequently fails. Because the parent devlink has never been registered, devl_unregister() – the routine that normally releases nested relations – is not invoked. As a result, devlink->rel remains allocated until the kernel later deallocates the child, leaking kernel memory. The flaw does not provide an attack vector for code execution; the impact is limited to the exhaustion of the kernel heap if the leak is repeated enough times, which could degrade performance or lead to a denial of service.
Affected Systems
The flaw is present in the generic Linux kernel, affecting all distributions that include unpatched kernel code. No specific version range is provided, so every kernel version built before the patch is potentially vulnerable. The problem arises in the devlink module, and any driver or subsystem that creates nested devlink relationships before register can trigger the leak.
Risk and Exploitability
The CVSS score of 5.5 indicates a moderate risk, while the EPSS score of <1% shows a very low likelihood of exploitation. The vulnerability is not included in the CISA KEV catalog. Attacks would require local access or the ability to trigger probe errors for drivers that instantiate devlinks, making the risk low to medium unless the attacker controls the subsystem. The main danger is the gradual draining of kernel memory, which could eventually exhaust heap space and cause a local denial‑of‑service. No public exploits are known, but the patch is already available in the kernel repository.
OpenCVE Enrichment