CVE-2026-23030
Description
In the Linux kernel, the following vulnerability has been resolved:
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug.
Fix by returning directly to avoid the duplicate of_node_put().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Double free bug in Linux kernel's Rockchip USB2 PHY driver due to duplicate of_node_put() in probe function.
Vulnerability
Analysis
In the Linux kernel's Rockchip USB2 PHY driver, the rockchip_usb2phy_probe() function contains a double free bug in error handling. The loop for_each_available_child_of_node() automatically calls of_node_put() on child nodes each iteration. When breaking from the loop after a successful iteration, if devm_request_threaded_irq() fails, the code jumps to the put_child label and calls of_node_put() again on a child node that has already been released, causing a double free.
Exploitation
An attacker must have the ability to cause the devm_request_threaded_irq() call to fail during probe, typically by manipulating system resources (e.g., exhausting IRQ lines). This requires local access to the system where the affected Rockchip USB2 PHY hardware is present. No authentication is needed beyond being able to trigger the probe of the device.
Impact
A double free can lead to kernel memory corruption, resulting in a system crash (denial of service) or potentially enabling privilege escalation or arbitrary code execution if an attacker can control freed memory structures. The severity depends on the kernel's memory allocator protections.
Mitigation
The vulnerability is fixed in the Linux stable kernel by returning directly from the error path instead of jumping to the put_child label, eliminating the duplicate of_node_put() call. Patches are available as commit [1] and [2]. Users should apply the latest stable kernel updates to resolve this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270dnvd
- git.kernel.org/stable/c/b97b2c9808c9a97e0ce30216fa12096d8b0eaa75nvd
- git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1canvd
- git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70bnvd
- git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5nvd
News mentions
0No linked articles in our index yet.