VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 3, 2026· Updated May 20, 2026

CVE-2026-23464

CVE-2026-23464

Description

In the Linux kernel, the following vulnerability has been resolved:

soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()

In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, the function returns immediately without freeing the allocated memory for sys_controller, leading to a memory leak.

Fix this by jumping to the out_free label to ensure the memory is properly freed.

Also, consolidate the error handling for the mbox_request_channel() failure case to use the same label.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in Linux kernel's Microchip MPFS system controller probe when of_get_mtd_device_by_node fails.

Vulnerability

The vulnerability is a memory leak in the Linux kernel's mpfs_sys_controller_probe() function within the soc/microchip/mpfs subsystem. When the call to of_get_mtd_device_by_node() fails, the function returns immediately without freeing the memory previously allocated for sys_controller, causing a memory leak [1][2].

Exploitation

An attacker would need to trigger a failure in of_get_mtd_device_by_node(), which could occur if the device tree node is invalid or missing. The vulnerability is present in the probe path of the system controller driver, so it requires the driver to be loaded and to encounter an expected error condition. No special privileges are required beyond the ability to trigger a probe of the affected device [3].

Impact

If successfully triggered, the memory leak leads to gradual depletion of kernel memory over time, potentially causing system instability or denial of service on systems using the Microchip PolarFire SoC [4]. The CVSS v3 score is 5.5 (Medium), reflecting the moderate severity of a local memory leak that could lead to degraded performance.

Mitigation

The fix has been applied in the Linux kernel stable trees as of April 2026. Users should update to a kernel version containing the commits that consolidate error paths and properly free memory on failure [1][2][3][4].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.