CVE-2026-43375
USB Device Leak in Linux Kernel mctp Driver
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a memory leak in the Linux kernel related to the MCTP (Management Component Transport Protocol) driver. Specifically, during the device probe process, the driver takes a reference to the USB device but fails to release it if the probe fails. This causes a device reference leak because the driver holds onto the USB device reference unnecessarily.
The issue arises because the driver core already holds a reference to the USB interface and its parent USB device while the interface is bound to a driver, so taking an additional reference during probe is redundant unless the structures are needed after disconnect. The fix involves dropping this redundant device reference to prevent the leak.
How can this vulnerability impact me? :
This vulnerability can lead to a memory leak in the Linux kernel when the MCTP driver fails to release a USB device reference on probe failure. Over time, this leak could consume system memory unnecessarily, potentially degrading system performance or stability.
While it does not directly cause a security breach like data exposure or privilege escalation, the memory leak could contribute to resource exhaustion, which might affect system reliability.