CVE Catalog

CVE-2026-31732

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a resource leak was found in gpiochip_add_data_with_key() on error paths. After commit aab5c6f20023, `gdev->dev.release` is unset, so the reference count to `gdev->dev` is not dropped on errors. The fix drops the reference and reorders code to prevent double-free.

Risk Assessment

Resource leaks can lead to gradual kernel memory exhaustion, potentially causing denial of service (DoS) on systems heavily using GPIO.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit addressing CVE-2026-31732). For production systems, apply the security patch after testing.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: gpio: Fix resource leaks on errors in gpiochip_add_data_with_key() Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"), `gdev->dev.release` is unset. As a result, the reference count to `gdev->dev` isn't dropped on the error handling paths. Drop the reference on errors. Also reorder the instructions to make the error handling simpler. Now gpiochip_add_data_with_key() roughly looks like: >>> Some memory allocation. Go to ERR ZONE 1 on errors. >>> device_initialize(). gpiodev_release() takes over the responsibility for freeing the resources of `gdev->dev`. The subsequent error handling paths shouldn't go through ERR ZONE 1 again which leads to double free. >>> Some initialization mainly on `gdev`. >>> The rest of initialization. Go to ERR ZONE 2 on errors. >>> Chip registration success and exit. >>> ERR ZONE 2. gpio_device_put() and exit. >>> ERR ZONE 1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS