Sign in Subscribe

← All advisories

Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45883

CVE-2026-45883

Description

In the Linux kernel, the following vulnerability has been resolved:

iio: sca3000: Fix a resource leak in sca3000_probe()

spi->irq from request_threaded_irq() not released when iio_device_register() fails. Add an return value check and jump to a common error handler when iio_device_register() fails.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A resource leak in the Linux kernel's sca3000 driver fails to release an IRQ on iio_device_register() failure, potentially leading to denial of service.

Vulnerability

In the Linux kernel, the sca3000 IIO driver in drivers/iio/accel/sca3000.c contains a resource leak. The function sca3000_probe() calls request_threaded_irq() to register an interrupt handler, but if iio_device_register() subsequently fails, the allocated IRQ (spi->irq) is never freed. This affects kernel versions prior to the commits that fix the issue.

Exploitation

An attacker would need the ability to trigger a failure in iio_device_register() for a SCA3000 device, which could occur under certain system conditions or by manipulating device configuration. No special privileges are required beyond the ability to cause the probe to fail. The attacker does not need to be local if the device is accessible via SPI bus from userspace, but typically the attack surface is limited to physical access or specific kernel configurations.

Impact

If the probe fails repeatedly, the unreleased IRQ can lead to resource exhaustion, causing a denial of service (DoS) on the system. The vulnerability does not allow information disclosure or privilege escalation; it is a resource leak that degrades system stability.

Mitigation

The fix was applied in the Linux kernel stable tree with commits 103ac8e3a7f3 and e8e960c3d23f [1][2]. Users should update to a kernel version containing these commits. No workaround is available if the driver cannot be unloaded; the only mitigation is to apply the patch.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Linux/Kernelllm-fuzzy

Patches

16

62b44ebc1f2c

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 7.0via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 950b4c6724845a..4a827be439a23e 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1487,7 +1487,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

597d749c5180

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 6.1.165via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 87c54e41f6ccd2..2b87f7f5508bbd 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1496,7 +1496,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

40c860ece225

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 5.15.202via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index cb753a43533cdd..9174269c7653b9 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1489,7 +1489,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

517d9f2b9630

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 6.18.14via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index bfa8a3f5a92f43..9ef4d6e2746697 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1489,7 +1489,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

84d3c396d8ae

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 6.19.4via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index bfa8a3f5a92f43..9ef4d6e2746697 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1489,7 +1489,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

103ac8e3a7f3

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 6.12.75via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 87c54e41f6ccd2..2b87f7f5508bbd 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1496,7 +1496,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

55e13abf22c2

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 5.10.252via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 194738660523d4..10a4bf32918a73 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1502,7 +1502,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

e8e960c3d23f

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHarshit MogalapalliJan 28, 2026Fixed in 6.6.128via kernel-cna

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 87c54e41f6ccd2..2b87f7f5508bbd 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1496,7 +1496,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

e8e960c3d23f

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 87c54e41f6ccd2..2b87f7f5508bbd 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1496,7 +1496,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

55e13abf22c2

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 194738660523d4..10a4bf32918a73 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1502,7 +1502,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

40c860ece225

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index cb753a43533cdd..9174269c7653b9 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1489,7 +1489,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

103ac8e3a7f3

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 87c54e41f6ccd2..2b87f7f5508bbd 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1496,7 +1496,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

62b44ebc1f2c

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 950b4c6724845a..4a827be439a23e 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1487,7 +1487,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

517d9f2b9630

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index bfa8a3f5a92f43..9ef4d6e2746697 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1489,7 +1489,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

597d749c5180

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index 87c54e41f6ccd2..2b87f7f5508bbd 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1496,7 +1496,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

84d3c396d8ae

iio: sca3000: Fix a resource leak in sca3000_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHarshit MogalapalliJan 28, 2026via nvd-ref

1 file changed · +5 −2

drivers/iio/accel/sca3000.c+5 −2 modified

diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c
index bfa8a3f5a92f43..9ef4d6e2746697 100644
--- a/drivers/iio/accel/sca3000.c
+++ b/drivers/iio/accel/sca3000.c
@@ -1489,7 +1489,11 @@ static int sca3000_probe(struct spi_device *spi)
 	if (ret)
 		goto error_free_irq;
 
-	return iio_device_register(indio_dev);
+	ret = iio_device_register(indio_dev);
+	if (ret)
+		goto error_free_irq;
+
+	return 0;
 
 error_free_irq:
 	if (spi->irq)
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing error handling: the return value of iio_device_register() was not checked, so the previously requested IRQ was not freed on failure."

Attack vector

An attacker does not directly trigger this bug; it is a resource leak that occurs during device probe when the kernel's IIO subsystem fails to register the device (e.g., due to a duplicate device name or a memory allocation failure). The precondition is that the SCA3000 accelerometer SPI device is present and its probe function is invoked. If `iio_device_register()` returns an error, the IRQ line requested earlier via `request_threaded_irq()` is never freed, leaking the IRQ descriptor and preventing that IRQ from being used again.

Affected code

The vulnerability is in the `sca3000_probe()` function in `drivers/iio/accel/sca3000.c` [patch_id=2661715]. The function calls `request_threaded_irq()` to register an IRQ handler, then later calls `iio_device_register()`. If `iio_device_register()` fails, the original code returned the error directly without freeing the previously requested IRQ via `spi->irq`.

What the fix does

The patch changes the `return iio_device_register(indio_dev);` line into a check of the return value. If `iio_device_register()` fails, the code now jumps to the existing `error_free_irq` label, which calls `free_irq(spi->irq, indio_dev)` to release the IRQ. On success, the function returns 0. This ensures the IRQ resource is always freed on any error path after it has been requested [patch_id=2661715].

Preconditions

inputThe SCA3000 accelerometer SPI device must be present and its probe function must be invoked.
inputiio_device_register() must fail after request_threaded_irq() has succeeded.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.