CVE-2026-43457
Memory Leak in Linux Kernel MCTP I2C Driver
Publication date: 2026-05-08
Last updated on: 2026-05-21
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.19 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.9 (exc) |
| linux | linux_kernel | From 5.18 (inc) to 6.1.167 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is related to the Linux kernel's mctp i2c component. Specifically, when the 'midev->allow_rx' flag is false, a newly allocated socket buffer (skb) is not properly handled by the network receive function (netif_rx()). Instead of being consumed, the skb needs to be freed directly to avoid a memory leak.
How can this vulnerability impact me? :
The impact of this vulnerability is a memory leak in the Linux kernel's network receive path for the mctp i2c component. Over time, this could lead to increased memory usage and potentially degrade system performance or stability if the leaked memory accumulates.