CVE-2026-45872 Linux CVE debrief

Who should care

System administrators managing Linux servers with Microsemi/Adaptec Smart Family SCSI/SAS controllers; kernel maintainers and distribution security teams responsible for backporting stable kernel fixes.

Technical summary

The smartpqi driver in the Linux kernel contains a memory leak in the pqi_report_phys_luns() function. When the function encounters an unsupported data format or fails to allocate rpl_16byte_wwid_list, it returns early without freeing the previously allocated rpl_list buffer. The resolution introduces a centralized cleanup label (out_free_rpl_list) and goto-based error handling to ensure consistent memory deallocation across all failure paths. This is a defensive coding fix with no evidence of active exploitation.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor vendor security advisories for smartpqi driver updates
• Consider disabling unused SCSI HBA drivers if smartpqi hardware is not present
• Review systems using Microsemi/Adaptec Smart Family controllers for kernel update prioritization

Evidence notes

The CVE description indicates this issue was found using a prototype static analysis tool and code review, with compile testing only. The fix involves consolidating error handling in pqi_report_phys_luns() to ensure proper memory deallocation on failure paths. Multiple stable kernel commits are referenced, indicating backports to various kernel versions.

Official resources