VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 31, 2026· Updated Apr 15, 2026

CVE-2026-23027

CVE-2026-23027

Description

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()

In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak.

So, fix it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in LoongArch KVM's kvm_pch_pic_destroy() fails to free the kvm_device struct, leading to resource exhaustion.

Vulnerability

In the Linux kernel's LoongArch KVM implementation, the function kvm_pch_pic_destroy() does not free the kvm_device struct that was allocated in kvm_ioctl_create_device(). This omission causes a memory leak each time a device is destroyed, as the destroy callback is expected to release the device structure itself [1].

Exploitation

An attacker with the ability to create and destroy KVM devices on a LoongArch system can repeatedly trigger this leak. No special privileges beyond access to the KVM device interface are required, though the attack surface is limited to systems using the LoongArch architecture with the PCH-PIC device model.

Impact

Repeated exploitation can exhaust kernel memory, potentially leading to denial of service (system stability or availability. The leak does not directly allow code execution or privilege escalation, but resource exhaustion can disrupt other processes.

Mitigation

The fix is included in the Linux kernel stable tree as commit fc53a66227af. Users should apply the patch or update to a kernel version containing this commit. No workaround is available other than avoiding repeated device creation/destruction cycles.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.