VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 22, 2026· Updated Apr 28, 2026

CVE-2026-31529

CVE-2026-31529

Description

In the Linux kernel, the following vulnerability has been resolved:

cxl/region: Fix leakage in __construct_region()

Failing the first sysfs_update_group() needs to explicitly kfree the resource as it is too early for cxl_region_iomem_release() to do so.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in Linux kernel CXL region driver's __construct_region() when first sysfs_update_group fails, requiring explicit kfree.

Vulnerability

Description

The vulnerability is a memory leak in the Linux kernel's CXL (Compute Express Link) region subsystem. In the function __construct_region(), if the first call to sysfs_update_group() fails, the allocated resource is not freed because cxl_region_iomem_release() is invoked too early to handle this failure path. This results in a memory leak of the resource [1][2].

Exploitation

Prerequisites

Exploitation requires the ability to trigger a failure in sysfs_update_group() during region construction. This could be achieved by a local attacker with sufficient privileges (e.g., root or access to CXL device configuration) or through certain system conditions that cause the sysfs update to fail. The attack surface is limited to systems with CXL hardware and the region creation functionality enabled.

Impact

An attacker exploiting this memory leak can cause a gradual exhaustion of kernel memory, potentially leading to system instability or denial of service (DoS). The CVSS v3 score of 5.5 (Medium) indicates a moderate impact, likely reflecting the need for local access and the gradual nature of the resource exhaustion.

Mitigation

The fix is included in Linux kernel stable commits [1][2]. Users should update their kernels to versions containing these patches. No workarounds are mentioned in the available references, so applying the patch is recommended.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Linux/Kernel6 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.19,<6.19.11
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.