CVE-2026-45872
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
A memory leak was detected in the Linux kernel in the pqi_report_phys_luns() function of the smartpqi driver for SCSI controllers. When encountering an unsupported data format or failing to allocate the rpl_16byte_wwid_list buffer, the function returned an error without freeing the previously allocated rpl_list buffer, leading to memory leaks.
Risk Assessment
The memory leak can exhaust available system memory over time, leading to performance degradation or system crashes, especially in long-running environments.
Recommendation
It is recommended to update the Linux kernel to a version containing the fix, which adds an out_free_rpl_list label and goto statements to ensure the rpl_list buffer is freed in all error paths.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() pqi_report_phys_luns() fails to release the rpl_list buffer when encountering an unsupported data format or when the allocation for rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic, leading to memory leaks. Consolidate the error handling by adding an out_free_rpl_list label and use goto statements to ensure rpl_list is consistently freed on failure. Compile tested only. Issue found using a prototype static analysis tool and code review.

