CVE-2026-43004
Resource Leak in STM32 OSPI SPI Controller
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stm32 | stm32-ospi | * |
| stmicroelectronics | stm32-ospi | * |
| stm32-ospi | stm32-ospi | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability involves a resource leak in the remove() callback of the stm32-ospi SPI controller in the Linux kernel. To mitigate this issue, you should update your Linux kernel to a version where this fix has been applied, ensuring that the remove() callback properly cleans up resources regardless of the PM resume result.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's stm32-ospi SPI controller driver. Specifically, in the remove() callback function, there was an early return if the function pm_runtime_resume_and_get() failed. This early return caused the cleanup of the SPI controller and other resources to be skipped, leading to a resource leak.
The fix involved removing this early return so that cleanup operations complete regardless of whether pm_runtime_resume_and_get() succeeds or fails.
How can this vulnerability impact me? :
The impact of this vulnerability is a resource leak in the SPI controller driver. If the remove() callback does not properly clean up resources, it could lead to wasted system resources such as memory or hardware handles remaining allocated unnecessarily.
Over time, this could degrade system performance or stability, especially in systems that frequently load and unload the SPI controller driver.