CVE-2026-46221 Linux CVE debrief

Who should care

Linux kernel maintainers and system administrators running AMD/Xilinx Versal NET platforms who prioritize memory hygiene in long-running systems; general security teams can deprioritize given local-only scope and lack of exploitability for code execution.

Technical summary

The EDAC (Error Detection and Correction) driver for AMD/Xilinx Versal NET platforms in the Linux kernel contained a memory leak in `init_one_mc()`. A device name string was allocated with `kzalloc()` and stored in `dev->init_name`. The `device_register()` function copies this name internally, then clears `dev->init_name` to NULL. The original `kzalloc()` allocation was never freed, becoming unreachable memory. The resolution replaces the dynamic allocation with a stack-local buffer, ensuring automatic cleanup. This vulnerability is local-only (driver initialization context) with no attack surface for remote exploitation or privilege escalation.

Defensive priority

low

Recommended defensive actions

• Apply kernel updates containing the referenced stable tree commits when available for your distribution
• Monitor NVD for CVSS scoring once analysis is complete
• No emergency patching required; prioritize based on standard kernel maintenance schedules

Evidence notes

The vulnerability description and resolution are sourced from the official CVE record published 2026-05-28. Three kernel.org stable tree commits are referenced as resolution evidence. No CVSS score has been assigned by NVD (status: Awaiting Analysis). The vendor identification is marked low confidence with review needed based on reference domain analysis.

Official resources