VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Mar 25, 2026· Updated Apr 23, 2026

CVE-2026-23314

CVE-2026-23314

Description

In the Linux kernel, the following vulnerability has been resolved:

regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio()

In bq257xx_reg_dt_parse_gpio(), if fails to get subchild, it returns without calling of_node_put(child), causing the device node reference leak.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A device node reference leak in the Linux kernel's bq257xx regulator driver could lead to memory exhaustion.

Vulnerability

In the Linux kernel's bq257xx regulator driver, the function bq257xx_reg_dt_parse_gpio() fails to release a device node reference obtained via of_node_get() when a subchild lookup fails. This results in a reference count leak for the device node, as described in the CVE description [1].

Exploitation

The vulnerability is triggered during device tree parsing when the driver attempts to retrieve a GPIO subchild. If the subchild is not found, the function returns an error without calling of_node_put(child), leaving the reference dangling. An attacker would need local access to the system and the ability to trigger device tree parsing, typically through driver probe of the affected hardware or by loading/unloading the driver. No special privileges beyond local user access are required if the driver can be triggered from userspace.

Impact

Repeatedly triggering this code path can cause the kernel's device node reference count to leak, eventually leading to memory exhaustion or denial of service. The CVSS v3 score of 5.5 (Medium) reflects the local attack vector and potential for system instability.

Mitigation

The fix is included in the Linux kernel stable releases as commits [1], [2], and [3]. Users should update to a kernel version containing these patches with these commits. No workaround is available; the driver must be fixed to properly release the reference.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernel9 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.18.1,<6.18.17
    • cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.