CVE-2026-45997
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing put_disk() in Linux kernel SCSI sd driver on device_add() failure leads to memory leak and dangling reference.
Vulnerability
In the Linux kernel, the SCSI disk driver (sd) fails to call put_disk() when device_add(&sdkp->disk_dev) fails within sd_probe(). The error path calls put_device(), which triggers scsi_disk_release() and frees the scsi_disk structure, but the underlying gendisk remains referenced. This leaves a dangling reference and a memory leak. The affected code is in the sd_probe() function. The fix was applied in kernel stable tree commit [1].
Exploitation
An attacker would need to trigger a failure in device_add() during probe of a SCSI disk device. This could be achieved through resource exhaustion or other error conditions that cause the device registration to fail. No special privileges beyond the ability to cause a SCSI disk probe failure are required; the attack surface is local, likely requiring physical or logical access to the system's storage subsystem.
Impact
On a successful exploitation, the kernel leaks the gendisk reference count, leading to a memory leak of the gendisk structure. Over time, repeated triggering could exhaust memory. The vulnerability does not directly allow code execution or privilege escalation, but memory exhaustion can lead to denial of service.
Mitigation
The fix is included in the Linux kernel stable tree as commit [1]. Systems should update to a kernel version containing this fix. No workaround is available; the fix must be applied via kernel update. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
101e111c4b3a72scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 205877b1f8aae5..adc3fa55ca2c37 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4061,6 +4061,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 205877b1f8aae5..adc3fa55ca2c37 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4061,6 +4061,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
262152ec3710scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 873c920eb0cf06..8cb10cb78b1d8d 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3727,6 +3727,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 873c920eb0cf06..8cb10cb78b1d8d 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3727,6 +3727,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
b64b4f499801scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 3745cf8569171b..f37f031971dfdb 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3982,6 +3982,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 3745cf8569171b..f37f031971dfdb 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3982,6 +3982,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
a95d38c57014scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 628a1d0a74bac2..aba22060fcd503 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4018,6 +4018,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 628a1d0a74bac2..aba22060fcd503 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4018,6 +4018,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
13e550fbfccdscsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed173..072d4c4add3348 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3979,6 +3979,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed173..072d4c4add3348 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3979,6 +3979,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
1e111c4b3a72scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 205877b1f8aae5..adc3fa55ca2c37 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4061,6 +4061,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 205877b1f8aae5..adc3fa55ca2c37 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4061,6 +4061,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
13e550fbfccdscsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed173..072d4c4add3348 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3979,6 +3979,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed173..072d4c4add3348 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3979,6 +3979,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
262152ec3710scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 873c920eb0cf06..8cb10cb78b1d8d 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3727,6 +3727,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 873c920eb0cf06..8cb10cb78b1d8d 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3727,6 +3727,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
a95d38c57014scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 628a1d0a74bac2..aba22060fcd503 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4018,6 +4018,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 628a1d0a74bac2..aba22060fcd503 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -4018,6 +4018,7 @@ static int sd_probe(struct scsi_device *sdp) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
b64b4f499801scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2 files changed · +2 −2
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 3745cf8569171b..f37f031971dfdb 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3982,6 +3982,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
drivers/scsi/sd.c+1 −1 modifieddiff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 3745cf8569171b..f37f031971dfdb 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3982,6 +3982,7 @@ static int sd_probe(struct device *dev) error = device_add(&sdkp->disk_dev); if (error) { put_device(&sdkp->disk_dev); + put_disk(gd); goto out; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing put_disk() call in the sd_probe() error path when device_add(&sdkp->disk_dev) fails, causing a gendisk reference leak."
Attack vector
An attacker with the ability to trigger SCSI device probe failures (e.g., by hot-plugging a faulty SCSI device or causing transient resource exhaustion) can cause device_add(&sdkp->disk_dev) to fail in the sd_probe() function [patch_id=2660583]. When this error path executes, put_device() frees the scsi_disk structure but does not release the associated gendisk, leaving it permanently referenced. Repeated triggering of this error path can exhaust kernel memory, leading to a denial-of-service condition.
Affected code
The vulnerability is in the sd_probe() function in drivers/scsi/sd.c. The error path following a failed device_add(&sdkp->disk_dev) call was missing a put_disk(gd) call [patch_id=2660583].
What the fix does
The patch adds a single call to put_disk(gd) in the error branch after device_add(&sdkp->disk_dev) fails, mirroring the cleanup already performed in the device_add_disk() error path [patch_id=2660583]. This ensures the gendisk reference count is properly decremented when the scsi_disk is freed via scsi_disk_release(), preventing the reference leak.
Preconditions
- inputA SCSI device probe must fail at the device_add(&sdkp->disk_dev) step.
- networkLocal access to hot-plug or trigger SCSI device attachment/detachment is required.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/13e550fbfccdb311e76ec96892dfe35f0dba0657nvd
- git.kernel.org/stable/c/1e111c4b3a726df1254670a5cc4868cedb946d37nvd
- git.kernel.org/stable/c/262152ec37101f9dc524743ccdbd6c7641d14573nvd
- git.kernel.org/stable/c/a95d38c5701431bfc826e7b18acc0785919d5c88nvd
- git.kernel.org/stable/c/b64b4f499801b12d0e2785447e4df6c164c608a9nvd
News mentions
0No linked articles in our index yet.