SB20260325117 - Missing release of memory after effective lifetime in Linux kernel pinctrl driver
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23337)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the pinctrl subsystem when parsing device tree configuration. A local user can trigger a memory leak by providing malformed device tree configuration, leading to gradual resource exhaustion.
Exploitation requires the ability to supply or influence device tree configuration processed by the kernel.
Remediation
Install update from vendor's website.