CVE-2026-45872
Awaiting Analysis Awaiting Analysis - Queue
Memory Leak in Linux Kernel scsi:smartpqi Driver

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() pqi_report_phys_luns() fails to release the rpl_list buffer when encountering an unsupported data format or when the allocation for rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic, leading to memory leaks. Consolidate the error handling by adding an out_free_rpl_list label and use goto statements to ensure rpl_list is consistently freed on failure. Compile tested only. Issue found using a prototype static analysis tool and code review.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45872
EUVD
EUVD-2026-32338
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the Linux kernel's scsi smartpqi driver, specifically in the function pqi_report_phys_luns(). The function fails to release a memory buffer called rpl_list when it encounters an unsupported data format or when memory allocation for rpl_16byte_wwid_list fails. Because of these early returns, the cleanup logic is bypassed, causing a memory leak.

The fix involves consolidating error handling by adding a label (out_free_rpl_list) and using goto statements to ensure that the rpl_list buffer is always freed on failure, preventing the memory leak.

Impact Analysis

This vulnerability can lead to memory leaks in the Linux kernel when the affected function encounters certain error conditions. Over time, these leaks could cause increased memory usage, potentially degrading system performance or leading to system instability if the leaks accumulate significantly.

Mitigation Strategies

The vulnerability is a memory leak in the Linux kernel's smartpqi driver related to the pqi_report_phys_luns() function. Immediate mitigation involves updating or patching the Linux kernel to a version where this issue is fixed.

Specifically, ensure your system is running a kernel version that includes the fix which consolidates error handling by adding an out_free_rpl_list label and uses goto statements to consistently free the rpl_list buffer on failure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart