VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45863

CVE-2026-45863

Description

In the Linux kernel, the following vulnerability has been resolved:

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

The dw_i3c_master_i2c_xfers() function allocates memory for the xfer structure using dw_i3c_master_alloc_xfer(). If pm_runtime_resume_and_get() fails, the function returns without freeing the allocated xfer, resulting in a memory leak.

Add a dw_i3c_master_free_xfer() call to the error path to ensure the allocated memory is properly freed.

Compile tested only. Issue found using a prototype static analysis tool and code review.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in dw_i3c_master_i2c_xfers() when pm_runtime_resume_and_get() fails, fixed by adding a free call.

Vulnerability

A memory leak exists in the dw_i3c_master_i2c_xfers() function in the Linux kernel's DesignWare I3C master driver. The function allocates a transfer structure via dw_i3c_master_alloc_xfer() but does not free it if pm_runtime_resume_and_get() fails. This affects kernel versions before the fix commit [1].

Exploitation

An attacker would need to trigger the error path where pm_runtime_resume_and_get() fails. This requires the ability to invoke I2C transfers through the i3c master device, potentially from user-space with appropriate permissions or via other kernel interfaces. The exact conditions depend on the runtime PM state of the device.

Impact

The memory leak causes unreclaimed kernel memory, which could lead to resource exhaustion and denial of service over repeated attempts. No code execution or information disclosure is indicated.

Mitigation

The fix is commit 140a45bd4f6d ("i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()") which adds a call to dw_i3c_master_free_xfer() in the error path. Users should update to a kernel version that includes this patch. No workarounds are documented.

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

8
253708941351

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 26, 2026Fixed in 7.0via kernel-cna
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index e9b2c23ed1715f..cfc15aaf8c7bb2 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1106,6 +1106,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index e9b2c23ed1715f..cfc15aaf8c7bb2 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1106,6 +1106,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
140a45bd4f6d

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 26, 2026Fixed in 6.12.75via kernel-cna
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index eca54cbc1c29a4..4c019c746f231e 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1102,6 +1102,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index eca54cbc1c29a4..4c019c746f231e 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1102,6 +1102,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
a2c41467ef42

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 26, 2026Fixed in 6.19.4via kernel-cna
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index d5b0704040562c..4033bc16677ff1 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1099,6 +1099,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index d5b0704040562c..4033bc16677ff1 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1099,6 +1099,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
8e71414e252c

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 26, 2026Fixed in 6.18.14via kernel-cna
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 75f813d72f851e..c06595cb740103 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1094,6 +1094,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 75f813d72f851e..c06595cb740103 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1094,6 +1094,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
253708941351

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 26, 2026via nvd-ref
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index e9b2c23ed1715f..cfc15aaf8c7bb2 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1106,6 +1106,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index e9b2c23ed1715f..cfc15aaf8c7bb2 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1106,6 +1106,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
8e71414e252c

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 26, 2026via nvd-ref
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 75f813d72f851e..c06595cb740103 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1094,6 +1094,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index 75f813d72f851e..c06595cb740103 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1094,6 +1094,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
a2c41467ef42

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 26, 2026via nvd-ref
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index d5b0704040562c..4033bc16677ff1 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1099,6 +1099,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index d5b0704040562c..4033bc16677ff1 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1099,6 +1099,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
140a45bd4f6d

i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 26, 2026via nvd-ref
commit
2 files changed · +2 2
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index eca54cbc1c29a4..4c019c746f231e 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1102,6 +1102,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg
  • drivers/i3c/master/dw-i3c-master.c+1 1 modified
    diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
index eca54cbc1c29a4..4c019c746f231e 100644
--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -1102,6 +1102,7 @@ static int dw_i3c_master_i2c_xfers(struct i2c_dev_desc *dev,
 		dev_err(master->dev,
 			"<%s> cannot resume i3c bus master, err: %d\n",
 			__func__, ret);
+		dw_i3c_master_free_xfer(xfer);
 		return ret;
 	}
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing deallocation of the xfer structure when pm_runtime_resume_and_get() fails in dw_i3c_master_i2c_xfers()."

Attack vector

An attacker who can trigger I2C transfers on a DesignWare I3C master controller may cause the kernel to repeatedly fail pm_runtime_resume_and_get() (e.g., by forcing the device into a low-power state from which it cannot resume). Each such failure leaks one xfer allocation. Over time this exhausts kernel memory, leading to denial of service. No authentication or special privileges are required beyond the ability to issue I2C/I3C device operations.

Affected code

The vulnerable function is dw_i3c_master_i2c_xfers() in drivers/i3c/master/dw-i3c-master.c. The xfer structure is allocated via dw_i3c_master_alloc_xfer() and, if pm_runtime_resume_and_get() fails, the function returns without calling dw_i3c_master_free_xfer().

What the fix does

The patch adds a single call to dw_i3c_master_free_xfer(xfer) in the error path immediately after the dev_err() call that logs the pm_runtime_resume_and_get() failure [patch_id=2661966]. This ensures that the xfer structure allocated earlier by dw_i3c_master_alloc_xfer() is freed before the function returns with an error, closing the memory leak.

Preconditions

  • inputAbility to trigger I2C transfers on a DesignWare I3C master controller.
  • configThe system must have runtime power management enabled for the I3C controller such that pm_runtime_resume_and_get() can fail.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.