PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45928 Linux CVE debrief

A memory leak vulnerability exists in the Linux kernel's Chips&Media Wave5 VPU driver. When opening encoder or decoder instances, if allocation of codec_info fails after the VPU instance is allocated, the instance is not freed before returning -ENOMEM. This results in a memory leak that could be triggered by resource exhaustion scenarios. The vulnerability affects kernel versions prior to the fix commits. The issue was resolved by adding kfree() calls in the error paths of wave5_vpu_open_enc() and wave5_vpu_open_dec() to properly release the allocated instance when codec_info allocation fails.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux kernel maintainers, embedded systems developers using Chips&Media Wave5 VPU hardware, security teams tracking kernel memory safety issues

Technical summary

The wave5_vpu_open_enc() and wave5_vpu_open_dec() functions in drivers/media/platform/chips-media/wave5/ allocate a VPU instance via kzalloc(). If the subsequent inst->codec_info allocation fails, the functions return -ENOMEM without freeing the instance, causing a memory leak. The fix adds kfree(inst) in these error paths before returning.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from your Linux distribution
  • Monitor NVD for CVSS scoring once analysis is complete
  • Review systems using Chips&Media Wave5 VPU hardware for potential memory pressure impacts
  • Consider memory leak detection tooling for kernel modules in staging environments

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. The fix is confirmed by four kernel.org stable tree commits. No CVSS score has been assigned by NVD (status: Awaiting Analysis). Vendor identification is marked low confidence based on reference domain analysis; the affected component is the Chips&Media Wave5 driver in the Linux kernel media subsystem.

Official resources

2026-05-27