CVE-2026-45868 Linux CVE debrief

Who should care

Linux system administrators, embedded device manufacturers using pinctrl-single for GPIO control, kernel maintainers, and security teams tracking kernel-level resource exhaustion vulnerabilities

Technical summary

The pinctrl-single driver in the Linux kernel contains a reference-count leak in `pcs_add_gpio_func()`. When parsing GPIO device tree phandles via `of_parse_phandle_with_args()`, the returned `device_node` references are never released with `of_node_put()`. This occurs both in the normal iteration loop and in the error path when memory allocation fails. The leak accumulates with each GPIO phandle processed, potentially leading to resource exhaustion. The fix adds proper `of_node_put()` calls in both locations.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches as referenced in the CVE record
• Monitor kernel stable updates for your distribution
• Review systems using pinctrl-single driver for GPIO functionality
• Consider rebooting systems after kernel updates to ensure patched code is active

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. The fix involves adding `of_node_put()` calls to release device_node references after argument extraction and on the `devm_kzalloc()` failure path. Eight kernel.org stable commit references are provided, indicating backports to multiple kernel versions. No CVSS score or severity rating is currently assigned (status: Awaiting Analysis).

Official resources