CVE-2026-45989 Linux CVE debrief

Who should care

Linux kernel developers, distribution maintainers, organizations running custom kernel builds with unit testing enabled, embedded systems developers using device tree overlays

Technical summary

The vulnerability is located in `drivers/of/unittest.c` in the `testdrv_probe()` function. The issue stems from incorrect reference counting of device tree nodes. The function obtains a pointer to the device node via `pdev->dev.of_node`, which is a reference owned by the device model (PCI core). After applying a device tree overlay with `of_overlay_apply()`, the code erroneously calls `of_node_put(dn)`, releasing this reference. If the reference count reaches zero, the node is freed. The subsequent call to `of_platform_default_populate(dn, NULL, &pdev->dev)` then operates on freed memory. The resolution removes the `of_node_put(dn)` call, preserving the device model's ownership of the reference. This vulnerability affects kernel unit testing infrastructure and is unlikely to be present in production kernel configurations unless CONFIG_OF_UNITTEST is explicitly enabled.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable kernel releases once available for your distribution
• Monitor distribution security advisories for backported fixes
• Review custom kernel builds for presence of CONFIG_OF_UNITTEST option
• Prioritize patching on systems running kernel unit tests or development environments where OF unittest driver may be loaded

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Fix commits identified in kernel.org stable tree. No CVSS score or severity assigned by NVD at time of disclosure (status: Awaiting Analysis). Vendor attribution marked as low confidence requiring review based on reference domain analysis.

Official resources