CVE-2026-45997
Analyzed Analyzed - Analysis Complete
Linux kernel Missing Disk Reference Cleanup in SCSI SD Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45997
EUVD
EUVD-2026-32293
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel From 5.14.11 (inc) to 5.15 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 4.14.250 (inc) to 4.15 (exc)
linux linux_kernel From 4.19.210 (inc) to 4.20 (exc)
linux linux_kernel From 4.4.288 (inc) to 4.5 (exc)
linux linux_kernel From 4.9.286 (inc) to 4.10 (exc)
linux linux_kernel From 5.10.72 (inc) to 5.11 (exc)
linux linux_kernel From 5.15.1 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.4.152 (inc) to 5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is related to the Linux kernel's SCSI disk driver. Specifically, when the function device_add(&sdkp->disk_dev) fails, the cleanup process does not properly release all references. The function put_device() calls scsi_disk_release(), which frees the scsi_disk structure but leaves the gendisk structure still referenced. The fix involves calling put_disk(gd) in the error path to ensure proper cleanup and avoid resource leaks.

Impact Analysis

If this vulnerability is present, it can lead to improper resource cleanup in the Linux kernel's SCSI disk driver. This may cause resource leaks, potentially leading to increased memory usage or instability in the system handling SCSI disks.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the missing put_disk() call when device_add(&disk_dev) fails. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart