CVE-2026-23033

Vulnerability

CVE-2026-23033 is a resource leak vulnerability in the Linux kernel's omap-dma DMA engine driver. The root cause is that the dma_pool created via dma_pool_create() during driver probe is not destroyed when either dma_async_device_register() or of_dma_controller_register() fails. This leaves the allocated DMA pool memory unreleased, leading to a memory leak in the probe error paths [1][2][3].

Exploitation

This vulnerability is triggered during the driver initialization (probe) phase. An attacker would need to cause the probe to fail after the pool is created but before the registration calls succeed. This could be achieved by manipulating device tree entries or hardware configuration to force-unbind scenarios, though the exact attack surface depends on system configuration. No authentication is required, as the driver probe occurs in kernel context during device enumeration.

Impact

An attacker who can repeatedly trigger probe failures could exhaust kernel memory by leaking DMA pool allocations, potentially leading to denial of service (DoS). The leak is per-failure, so sustained exploitation could degrade system stability. There is no evidence of code execution or privilege escalation from this bug.

Mitigation

The fix adds dma_pool_destroy() calls in both error paths, both error paths, ensuring the pool is released on failure. The patch [1][2][3]. The fix has been merged into the stable kernel tree. Users should update to a kernel version containing the commit.