PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46221 Linux CVE debrief

A memory leak vulnerability in the Linux kernel's EDAC (Error Detection and Correction) driver for AMD/Xilinx Versal NET platforms has been resolved. The issue occurred in the `init_one_mc()` function where a device name was allocated via `kzalloc()` and assigned to `dev->init_name`. After `device_register()` executes, it copies the `init_name` value and sets `dev->init_name` to NULL, leaving the originally allocated memory unreachable and never freed during normal device removal. The fix replaces the heap-allocated name with a stack-local character array, eliminating the leak. This is a local-only memory leak with no demonstrated exploitability for code execution or privilege escalation.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-06-10
Advisory published
2026-05-28
Advisory updated
2026-06-10

Who should care

Linux kernel maintainers and system administrators running AMD/Xilinx Versal NET platforms who prioritize memory hygiene in long-running systems; general security teams can deprioritize given local-only scope and lack of exploitability for code execution.

Technical summary

The EDAC (Error Detection and Correction) driver for AMD/Xilinx Versal NET platforms in the Linux kernel contained a memory leak in `init_one_mc()`. A device name string was allocated with `kzalloc()` and stored in `dev->init_name`. The `device_register()` function copies this name internally, then clears `dev->init_name` to NULL. The original `kzalloc()` allocation was never freed, becoming unreachable memory. The resolution replaces the dynamic allocation with a stack-local buffer, ensuring automatic cleanup. This vulnerability is local-only (driver initialization context) with no attack surface for remote exploitation or privilege escalation.

Defensive priority

low

Recommended defensive actions

  • Apply kernel updates containing the referenced stable tree commits when available for your distribution
  • Monitor NVD for CVSS scoring once analysis is complete
  • No emergency patching required; prioritize based on standard kernel maintenance schedules

Evidence notes

The vulnerability description and resolution are sourced from the official CVE record published 2026-05-28. Three kernel.org stable tree commits are referenced as resolution evidence. No CVSS score has been assigned by NVD (status: Awaiting Analysis). The vendor identification is marked low confidence with review needed based on reference domain analysis.

Official resources

2026-05-28