CVE-2026-23176

Vulnerability

Description

The toshiba_haps driver in the Linux kernel contained two memory leak vulnerabilities in its add and remove routines [1][2]. In toshiba_haps_add(), if an error occurs after allocating the haps object but before successful completion, the allocated memory was not freed, causing a leak. In toshiba_haps_remove(), the pointer to the allocated haps object was cleared without freeing the memory it pointed to, making that memory unreachable [3].

Exploitation

Analysis

These are memory leak bugs that occur during normal driver loading and unloading cycles. An attacker would need to repeatedly trigger the device add/remove sequence—for example by hot-plugging or through system suspend/resume—to exhaust kernel memory. No special privileges are required beyond the ability to cause the driver to bind/unbind, which may be achievable by a local user with access to sysfs or through module reloads [1].

Impact

Over time, the accumulated unreleased memory can exhaust the kernel's memory pool, leading to system instability or denial of service. No data confidentiality or integrity impact is expected, as the vulnerability only affects memory allocation and not the data stored in that memory [2].

Mitigation

The issue was resolved by switching to devm_kzalloc(), which automatically frees the allocated memory when the device is removed or if the probe fails [3]. Linux kernel stable branches have received the backported fix. Users should update to a kernel version containing the commit referenced in the advisory.