CVE Catalog

CVE-2026-45870

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile - higher than 6% of all known CVEs

Summary

In the Linux kernel, memory leaks were found in XDR decoding functions in the auth_gss module of the SUNRPC protocol. The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer() but fail to free it when a subsequent decode operation fails, leading to memory leaks. The leak in gssx_dec_ctx() is particularly critical because the caller initializes buffer length fields to non-zero values, forcing memory allocation.

Risk Assessment

Memory leaks can lead to exhaustion of available system memory, resulting in performance degradation or system crashes, especially during long-term operation or intensive use of GSS-API authentication.

Recommendation

Immediately apply the Linux kernel patch that adds error handling with goto-based cleanup in the gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions to free previously allocated buffers before returning an error.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks. The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation: struct gssx_ctx rctxh = { .exported_context_token.len = GSSX_max_output_handle_sz, .mech.len = GSS_OID_MAX_LEN, .src_name.display_name.len = GSSX_max_princ_sz, .targ_name.display_name.len = GSSX_max_princ_sz }; If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed. Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS