CVE Catalog

CVE-2026-45872

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

A memory leak was detected in the Linux kernel in the pqi_report_phys_luns() function of the smartpqi driver for SCSI controllers. When encountering an unsupported data format or failing to allocate the rpl_16byte_wwid_list buffer, the function returned an error without freeing the previously allocated rpl_list buffer, leading to memory leaks.

Risk Assessment

The memory leak can exhaust available system memory over time, leading to performance degradation or system crashes, especially in long-running environments.

Recommendation

It is recommended to update the Linux kernel to a version containing the fix, which adds an out_free_rpl_list label and goto statements to ensure the rpl_list buffer is freed in all error paths.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() pqi_report_phys_luns() fails to release the rpl_list buffer when encountering an unsupported data format or when the allocation for rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic, leading to memory leaks. Consolidate the error handling by adding an out_free_rpl_list label and use goto statements to ensure rpl_list is consistently freed on failure. Compile tested only. Issue found using a prototype static analysis tool and code review.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS