VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 12, 2026

CVE-2026-43004

CVE-2026-43004

Description

In the Linux kernel, the following vulnerability has been resolved:

spi: stm32-ospi: Fix resource leak in remove() callback

The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources.

Remove the early return so cleanup completes regardless of PM resume result.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

spi_stm32_ospi driver remove() callback in Linux kernel leaks SPI controller resources when PM resume fails.

Vulnerability

In the Linux kernel's STM32 OctoSPI driver (spi-stm32-ospi), the remove() callback contains a resource leak. If pm_runtime_resume_and_get() fails, the function returns early without cleaning up the SPI controller and associated resources, leading to a classic missing cleanup path. [1]

Attack

Surface

Local access is required to trigger device removal (e.g., unbinding the driver via sysfs or module removal). No authentication beyond normal user privileges for driver operations is needed. The attack surface is limited to physical or privileged user access to manipulate device binding. [1]

Impact

An attacker or unprivileged user who forces a faulty PM resume during driver removal can cause memory and device resource leaks. Repeated exploitation could exhaust system resources, leading to denial of service (kernel memory exhaustion or device unavailability). The CVSS 5.5 reflects the medium severity due to local access requirement and potential for DoS. [1]

Mitigation

Patched in mainline via commit 0807532c5ebb (also backported as commits 73cd1f97946a and b4ec54c974c6). Users are advised to apply the latest stable kernel updates. No workaround exists beyond ensuring the driver is not removed while runtime PM resume is failing. [2][3]

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernel8 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.15,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
    • (no CPE)
  • Linux/stm32-ospillm-create

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.