Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45921

Description

In the Linux kernel, the following vulnerability has been resolved:

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

The function mtd_parser_tplink_safeloader_parse() allocates buf via mtd_parser_tplink_safeloader_read_table(). If the allocation for parts[idx].name fails inside the loop, the code jumps to the err_free label without freeing buf, leading to a memory leak.

Fix this by freeing the temporary buffer buf in the err_free label.

Compile tested only. Issue found using a prototype static analysis tool and code review.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in Linux kernel MTD parser mtd_parser_tplink_safeloader_parse() when allocation fails during parsing.

Vulnerability

The function mtd_parser_tplink_safeloader_parse() in the Linux kernel's MTD subsystem allocates a buffer (buf) via mtd_parser_tplink_safeloader_read_table(). Inside a loop, it attempts to allocate memory for parts[idx].name. If this allocation fails, the code jumps to the err_free label without freeing buf, causing a memory leak. This vulnerability exists in kernel versions containing this function.

Exploitation

An attacker with the ability to supply a malicious or malformed TP-Link Safeloader partition table (e.g., via a modified firmware image) could trigger the memory leak by causing an allocation failure during parsing. No authentication or user interaction is required if the partition table is processed automatically, such as during device boot or mount.

Impact

The memory leak could lead to gradual memory exhaustion, potentially resulting in a denial of service (DoS) condition on the affected system. No code execution or privilege escalation is implied by the leak itself.

Mitigation

The fix has been applied in the Linux kernel via commit 980ce2b02dd06a4fdf5fee38b2e14becf9cf7b8b [1]. Users should apply the patch or update to a kernel version that includes this commit. No workarounds are documented; however, disabling automatic parsing of TP-Link Safeloader partition tables may prevent exploitation if not needed.

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelllm-fuzzy

Patches

e97f5fac8ce9

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 22, 2026Fixed in 6.12.75via kernel-cna

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

0f5e62ea5c43

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 22, 2026Fixed in 6.6.128via kernel-cna

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index 1c689dafca2ae9..3580c79e3277ea 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

ec121ad626c3

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 22, 2026Fixed in 6.18.14via kernel-cna

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

971e9c53aed8

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 22, 2026Fixed in 6.19.4via kernel-cna

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

980ce2b02dd0

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 22, 2026Fixed in 7.0via kernel-cna

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

971e9c53aed8

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 22, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

0f5e62ea5c43

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 22, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index 1c689dafca2ae9..3580c79e3277ea 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

e97f5fac8ce9

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 22, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

ec121ad626c3

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 22, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

980ce2b02dd0

mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 22, 2026via nvd-ref

commit

1 file changed · +1 −1

drivers/mtd/parsers/tplink_safeloader.c+1 −1 modified

diff --git a/drivers/mtd/parsers/tplink_safeloader.c b/drivers/mtd/parsers/tplink_safeloader.c
index e358a029dc70cf..4fcaf92d22e4fe 100644
--- a/drivers/mtd/parsers/tplink_safeloader.c
+++ b/drivers/mtd/parsers/tplink_safeloader.c
@@ -116,6 +116,7 @@ static int mtd_parser_tplink_safeloader_parse(struct mtd_info *mtd,
 	return idx;
 
 err_free:
+	kfree(buf);
 	for (idx -= 1; idx >= 0; idx--)
 		kfree(parts[idx].name);
 err_free_parts:
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing `kfree(buf)` in the error path of `mtd_parser_tplink_safeloader_parse()` causes a memory leak when allocation of `parts[idx].name` fails."

Attack vector

An attacker would need to trigger a memory allocation failure for `parts[idx].name` inside the loop in `mtd_parser_tplink_safeloader_parse()` in `drivers/mtd/parsers/tplink_safeloader.c`. When that allocation fails, the code jumps to the `err_free` label without freeing the `buf` buffer previously allocated by `mtd_parser_tplink_safeloader_read_table()`. This is a local memory leak that accumulates over repeated parsing attempts; the advisory does not specify a concrete external trigger beyond the allocation failure condition.

Affected code

The vulnerable function is `mtd_parser_tplink_safeloader_parse()` in `drivers/mtd/parsers/tplink_safeloader.c`. The `err_free` label (around line 116) previously only freed `parts[idx].name` but not the `buf` pointer allocated earlier by `mtd_parser_tplink_safeloader_read_table()`.

What the fix does

The patch adds a single line `kfree(buf);` at the `err_free` label, before the existing loop that frees `parts[idx].name`. This ensures that the temporary buffer `buf` allocated by `mtd_parser_tplink_safeloader_read_table()` is always freed when the error path is taken, closing the memory leak. The fix is identical across all backport commits [patch_id=2661321] [patch_id=2661320] [patch_id=2661319] [patch_id=2661317] [patch_id=2661318] [patch_id=2661314] [patch_id=2661313] [patch_id=2661316] [patch_id=2661315] [patch_id=2661312].

Preconditions

configThe kernel must be built with the TP-Link SafeLoader partition parser enabled (CONFIG_MTD_TPLINK_SAFELOADER).
inputA memory allocation failure for parts[idx].name must occur inside the parsing loop.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000