CVE-2026-23026 Overview
A memory leak vulnerability has been identified in the Linux kernel's DMA engine subsystem, specifically within the Qualcomm GPI (Generic Peripheral Interface) driver. The vulnerability exists in the gpi_peripheral_config() function where improper handling of krealloc() failure can lead to memory becoming unreachable and unable to be freed.
Critical Impact
Systems running affected Linux kernel versions with the Qualcomm GPI DMA driver are susceptible to memory leaks that could lead to resource exhaustion over time.
Affected Products
- Linux Kernel (Qualcomm GPI DMA engine driver)
- Systems using dmaengine/qcom/gpi module
- Qualcomm SoC-based devices utilizing the GPI peripheral interface
Discovery Timeline
- 2026-01-31 - CVE-2026-23026 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23026
Vulnerability Analysis
This vulnerability is a classic memory leak pattern that occurs during dynamic memory reallocation operations in the Linux kernel. The issue manifests when the krealloc() function fails to allocate memory and returns NULL. In the vulnerable code path, the original memory pointer stored in gchan->config is directly overwritten with the NULL result, causing an irreversible loss of the reference to the previously allocated memory block.
The vulnerability follows a specific sequence:
- The gchan->config pointer holds a reference to previously allocated memory
- A call to krealloc() attempts to resize this memory allocation
- When krealloc() fails, it returns NULL without freeing the original memory
- The code directly assigns this NULL value to gchan->config
- The original memory becomes orphaned with no reference to free it
This type of memory leak can accumulate over time, particularly in scenarios where the DMA peripheral configuration is frequently modified or when the system operates under memory pressure conditions.
Root Cause
The root cause is improper error handling in the gpi_peripheral_config() function within the drivers/dma/qcom/gpi.c file. The code fails to preserve the original pointer value before attempting reallocation, violating a fundamental safe coding pattern for krealloc() usage in the Linux kernel.
When krealloc() is called with a valid pointer and fails, the original memory remains allocated but the pointer to it is lost when directly overwritten. The correct approach is to use a temporary variable to capture the krealloc() result and only update the original pointer if the allocation succeeds.
Attack Vector
This is a locally exploitable condition that does not require direct attacker interaction. The memory leak occurs naturally during normal driver operation when specific configuration paths are exercised under memory pressure. While not directly exploitable for code execution, sustained memory leaks can lead to:
- System performance degradation as available memory decreases
- Denial of service conditions when kernel memory pools are exhausted
- System instability requiring reboot to recover leaked memory
The vulnerability was discovered through static analysis and code review, indicating it may be triggered in specific edge cases where memory allocation fails during peripheral configuration operations.
Detection Methods for CVE-2026-23026
Indicators of Compromise
- Gradual increase in kernel memory usage over time without corresponding process memory growth
- kmemleak reports indicating unreferenced memory in the GPI driver memory space
- System log entries showing memory allocation failures in the DMA subsystem
- Unexpected out-of-memory conditions on systems with adequate physical RAM
Detection Strategies
- Enable CONFIG_DEBUG_KMEMLEAK in kernel configuration to detect kernel memory leaks
- Monitor /proc/meminfo for increasing Slab memory consumption patterns
- Use slabinfo or /proc/slabinfo to track DMA-related slab allocations
- Deploy kernel tracing with ftrace to monitor krealloc calls in the GPI driver path
Monitoring Recommendations
- Implement baseline memory monitoring for systems using Qualcomm SoC platforms
- Configure alerting thresholds for abnormal kernel memory growth patterns
- Regularly review dmesg output for DMA engine allocation warnings
- Consider enabling kernel memory debugging options in non-production environments for early detection
How to Mitigate CVE-2026-23026
Immediate Actions Required
- Review currently deployed Linux kernel versions for affected GPI driver code
- Plan kernel update cycles to incorporate the security patches
- Monitor affected systems for memory leak symptoms until patches can be applied
- Consider temporarily reducing DMA peripheral reconfiguration frequency if feasible
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix involves using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds, ensuring the original memory reference is preserved on failure.
Multiple commits have been applied to various stable kernel branches:
- Kernel Git Commit 01b1d78
- Kernel Git Commit 3f74700
- Kernel Git Commit 55a67ba
- Kernel Git Commit 6bf4ef0
Workarounds
- If kernel updates cannot be immediately applied, monitor system memory consumption closely
- Implement automated system restart schedules during maintenance windows to recover leaked memory
- Reduce system memory pressure by optimizing workload distribution
- Consider disabling non-essential DMA peripheral configurations until patching is complete
# Enable kernel memory leak detection for monitoring
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak | grep -i gpi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
