#VU124508 Missing release of memory after effective lifetime in Linux kernel - CVE-2026-23337
Published: March 25, 2026
Vulnerability identifier: #VU124508
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23337
CWE-ID: CWE-401
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the pinctrl subsystem when parsing device tree configuration. A local user can trigger a memory leak by providing malformed device tree configuration, leading to gradual resource exhaustion.
Exploitation requires the ability to supply or influence device tree configuration processed by the kernel.
Remediation
Install security update from vendor's repository.