CVE-2026-43264
Description
In the Linux kernel, the following vulnerability has been resolved:
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak.
Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A refcount leak in the Linux kernel's fbdev of_get_display_timings() can lead to memory exhaustion, fixed by correcting the error path goto target.
Vulnerability
Overview
A refcount leak vulnerability exists in the Linux kernel's fbdev subsystem, specifically within the of_get_display_timings() function. The function uses of_parse_phandle() to obtain a device node pointer, which increments the reference count of the returned node. This pointer is stored in entry and later copied to native_mode. However, in error paths at lines 184 and 192, when jumping to the entryfail label, the reference count of native_mode is not decremented, leading to a leak [1].
Exploitation and
Attack Surface
Exploitation requires the ability to trigger the error paths in of_get_display_timings(), which is typically reached during boot or device tree parsing. No authentication is needed as it occurs in kernel initialization, but local access to trigger a particular device tree configuration or a crafted boot scenario may be necessary. The attack surface is limited to systems that utilize device tree-based display timing configuration.
Impact
An attacker who can repeatedly trigger the error paths can cause a gradual depletion of memory by leaking device_node references. While not directly leading to code execution, this could result in denial of service due to memory exhaustion, impacting system stability and availability.
Mitigation
The fix is included in Linux kernel stable updates. The patch changes the error path goto target from entryfail to timingfail, which properly calls of_node_put(native_mode) before cleanup, preventing the refcount leak [1][2]. Users should apply the updated kernel version to resolve the issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/20881ad42e651c69d89eb38a2042838187900fd6nvdPatch
- git.kernel.org/stable/c/2b22e4fe1273c24f405ed7903349c4bbd82b6368nvdPatch
- git.kernel.org/stable/c/3ed019654234edb8625c05d05e15d40f74e64f70nvdPatch
- git.kernel.org/stable/c/69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64nvdPatch
- git.kernel.org/stable/c/b5bdcc5afbff845834d04d651773cb6b47db5dd3nvdPatch
- git.kernel.org/stable/c/c5734f9030a8b1e13868d1641b5163d8e659306envdPatch
- git.kernel.org/stable/c/d6f34bbff07476c6abb8672c89d217824871c5ednvdPatch
- git.kernel.org/stable/c/eacf9840ae1285a1ef47eb0ce16d786e542bd4d7nvdPatch
News mentions
0No linked articles in our index yet.