CVE-2026-45997
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
A vulnerability in the Linux kernel has been fixed related to the missing put_disk() call when device_add(&disk_dev) fails. This bug resulted in the scsi_disk being freed while the gendisk remained referenced.
Risk Assessment
The lack of proper resource cleanup may lead to memory leaks and system instability, threatening the integrity and availability of services.
Recommendation
It is recommended to update the Linux kernel to the latest version to eliminate this vulnerability and ensure proper resource management.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup.

