CVE-2026-43375
Received Received - Intake
USB Device Leak in Linux Kernel mctp Driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: mctp: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on probe failures. Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43375
EUVD
EUVD-2026-28681
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a memory leak in the Linux kernel related to the MCTP (Management Component Transport Protocol) driver. Specifically, during the device probe process, the driver takes a reference to the USB device but fails to release it if the probe fails. This causes a device reference leak because the driver holds onto the USB device reference unnecessarily.

The issue arises because the driver core already holds a reference to the USB interface and its parent USB device while the interface is bound to a driver, so taking an additional reference during probe is redundant unless the structures are needed after disconnect. The fix involves dropping this redundant device reference to prevent the leak.

Impact Analysis

This vulnerability can lead to a memory leak in the Linux kernel when the MCTP driver fails to release a USB device reference on probe failure. Over time, this leak could consume system memory unnecessarily, potentially degrading system performance or stability.

While it does not directly cause a security breach like data exposure or privilege escalation, the memory leak could contribute to resource exhaustion, which might affect system reliability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart