CVE-2026-23065 Overview
A memory leak vulnerability has been identified in the Linux kernel's AMD platform driver, specifically within the wbrf_record() function. The vulnerability occurs when the tmp buffer, allocated using kcalloc(), is not properly freed if the subsequent call to acpi_evaluate_dsm() fails. This creates a memory leak condition in the error handling path that could lead to gradual memory exhaustion on affected systems.
Critical Impact
Systems running affected Linux kernel versions with AMD platform support may experience gradual memory exhaustion due to leaked allocations in the WBRF driver error path, potentially leading to system instability or denial of service conditions.
Affected Products
- Linux kernel with AMD platform/x86 driver support
- Systems utilizing WBRF (Wireless Band RF) functionality
- AMD-based systems with ACPI DSM support
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23065 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23065
Vulnerability Analysis
This Memory Leak vulnerability exists in the AMD platform driver's wbrf_record() function within the Linux kernel's x86 platform subsystem. The function allocates memory using kcalloc() for a temporary buffer (tmp) to handle WBRF (Wireless Band RF) operations. However, the original code failed to include proper cleanup logic when acpi_evaluate_dsm() returns an error.
In kernel programming, proper memory management is critical because memory leaks cannot be reclaimed until system reboot. Each failed acpi_evaluate_dsm() call would leave orphaned memory allocations, accumulating over time. On systems where this code path is frequently exercised—such as those with active wireless RF management—the memory exhaustion could become significant.
Root Cause
The root cause is a missing kfree() call in the error handling path of the wbrf_record() function. When kcalloc() successfully allocates the tmp buffer but the subsequent acpi_evaluate_dsm() call fails, the function returns without releasing the allocated memory. This is a classic resource cleanup oversight in C kernel code where early return paths bypass cleanup logic.
Attack Vector
While this vulnerability is primarily a reliability and availability issue rather than a direct security exploit, the memory leak could potentially be triggered by:
The attack vector for this vulnerability involves scenarios where acpi_evaluate_dsm() failures can be induced, either through malformed ACPI tables, hardware manipulation, or other methods that cause DSM evaluation to fail repeatedly. On systems where this error path can be triggered frequently, an attacker with local access could potentially exhaust system memory resources.
The fix implements explicit memory cleanup by adding a kfree(tmp) call in the error handling path before the function returns when acpi_evaluate_dsm() fails. This ensures that regardless of the execution path, allocated resources are properly released.
Detection Methods for CVE-2026-23065
Indicators of Compromise
- Gradual increase in kernel memory usage over time without corresponding workload increase
- Memory allocation failures or OOM (Out of Memory) conditions in kernel logs
- System instability on AMD platforms with WBRF functionality enabled
- Increasing slab memory consumption visible in /proc/meminfo or slabtop output
Detection Strategies
- Monitor kernel memory statistics using /proc/meminfo for unexplained growth in kernel memory
- Enable kernel memory leak detection tools such as kmemleak to identify orphaned allocations
- Review system logs for ACPI DSM evaluation failures in the AMD platform driver
- Implement automated memory trend analysis on systems running affected kernel versions
Monitoring Recommendations
- Deploy continuous memory monitoring on systems with AMD platform drivers
- Configure alerts for sustained kernel memory growth patterns
- Regularly audit kernel logs for ACPI-related error messages from the WBRF subsystem
- Consider using SentinelOne's kernel-level monitoring to detect anomalous memory behavior patterns
How to Mitigate CVE-2026-23065
Immediate Actions Required
- Update to a patched Linux kernel version that includes the memory leak fix
- Monitor affected systems for signs of memory exhaustion until patching is complete
- Consider temporarily disabling WBRF functionality if memory issues are observed and updates are not immediately available
- Review and apply kernel patches from the official kernel Git repository
Patch Information
The fix has been committed to the stable Linux kernel branches. The patch explicitly frees the tmp buffer in the error handling path when acpi_evaluate_dsm() fails. The following commits contain the fix:
- Commit 1152dffe01af
- Commit 1a0072bd1f1e
- Commit 2bf1877b7094
Workarounds
- If immediate patching is not possible, monitor system memory usage and schedule periodic reboots to clear leaked memory
- Disable WBRF functionality in kernel configuration if not required for your use case
- Implement memory pressure alerts to detect when systems approach critical memory thresholds
- Use kernel live patching solutions if available to apply the fix without system reboot
# Check current kernel version and WBRF driver status
uname -r
lsmod | grep -i wbrf
# Monitor kernel memory usage
watch -n 5 'grep -E "MemTotal|MemFree|Slab|SUnreclaim" /proc/meminfo'
# Enable kmemleak for detection (if compiled into kernel)
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak | grep -i wbrf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
