PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43242 Linux CVE debrief

CVE-2026-43242 is a Linux kernel availability issue in the TI K3 SoC info driver. According to the CVE description, the mmio regmap allocated during probe was not being freed, which could leave resources unreleased on probe failures such as probe deferral and on driver unbind. NVD rates the issue 5.5 MEDIUM and classifies it as CWE-401 (missing release of memory after effective lifetime).

Vendor
Linux
Product
CVE-2026-43242
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-11
Advisory published
2026-05-06
Advisory updated
2026-05-11

Who should care

Linux kernel maintainers, embedded Linux platform teams, and operators running kernels with the TI K3 SoC info driver should review this. It is most relevant for systems that may repeatedly probe the driver, defer probing, or unbind/rebind the module during normal operation or provisioning.

Technical summary

The flaw is a resource-management bug in soc: ti: k3-socinfo. A regmap allocated during probe was not released on failure paths. The reported fix switches to a device-managed allocator so the regmap is automatically cleaned up on probe failure and driver unbind. NVD lists the issue as local, low-complexity, low-privilege, and availability-impacting only (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). NVD’s affected-version ranges cover Linux kernel releases from 5.10.238 before 5.10.252, 5.15.185 before 5.15.202, 6.1.141 before 6.1.165, 6.6.93 before 6.6.128, 6.12.31 before 6.12.75, 6.14.9 before 6.18.16, and 6.19 before 6.19.6.

Defensive priority

Medium. This is not an execution or integrity issue, but it can degrade availability through unreleased kernel resources and is fixed in maintained kernel branches.

Recommended defensive actions

  • Check whether your kernel build includes the TI k3-socinfo regmap leak fix referenced by the linked kernel patches.
  • If you ship or maintain affected Linux kernel versions, upgrade to a patched release in the relevant stable branch listed by NVD.
  • If immediate upgrade is not possible, minimize unnecessary probe/unbind cycles for affected TI K3 devices and monitor for resource exhaustion symptoms.
  • Validate the running kernel version against the NVD affected ranges before planning remediation.
  • Track downstream vendor kernels, since backports may land under different version numbers than mainline.

Evidence notes

The CVE record and NVD detail page are the official vulnerability sources provided in the corpus. The CVE description states that the mmio regmap allocated during probe was never freed and that the fix uses a device-managed allocator. NVD supplies the CWE-401 classification, CVSS vector, and affected Linux kernel version ranges. The kernel.org stable links in the reference list are patch references supporting remediation.

Official resources

Public CVE record published by NVD on 2026-05-06 and last modified on 2026-05-11. This debrief uses only the supplied official CVE/NVD data and kernel.org patch references.