CVE-2026-43375
Received Received - Intake

USB Device Leak in Linux Kernel mctp Driver

Vulnerability report for CVE-2026-43375, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: mctp: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on probe failures. Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-07-09
AI Q&A
2026-05-08
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel related to the MCTP (Management Component Transport Protocol) driver. Specifically, during the device probe process, the driver takes a reference to the USB device but fails to release it if the probe fails. This causes a device reference leak because the driver holds onto the USB device reference unnecessarily.

The issue arises because the driver core already holds a reference to the USB interface and its parent USB device while the interface is bound to a driver, so taking an additional reference during probe is redundant unless the structures are needed after disconnect. The fix involves dropping this redundant device reference to prevent the leak.

Impact Analysis

This vulnerability can lead to a memory leak in the Linux kernel when the MCTP driver fails to release a USB device reference on probe failure. Over time, this leak could consume system memory unnecessarily, potentially degrading system performance or stability.

While it does not directly cause a security breach like data exposure or privilege escalation, the memory leak could contribute to resource exhaustion, which might affect system reliability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart