CVE-2026-23081 Overview
A memory leak vulnerability has been identified in the Linux kernel's Intel-Xway PHY driver (net: phy: intel-xway). The issue stems from improper handling of Open Firmware (OF) device tree node reference counts when checking for the existence of a 'leds' child node. When the driver examines whether the 'leds' child node exists, it fails to properly release the reference count using of_put_node(), leading to reference count leakage.
Critical Impact
This vulnerability can cause memory leaks and potential resource exhaustion in Linux kernel systems using the Intel-Xway PHY driver, particularly affecting network infrastructure devices.
Affected Products
- Linux kernel with Intel-Xway PHY driver (net/phy/intel-xway.c)
- Systems using Device Tree/Open Firmware with Intel-Xway network PHY hardware
- Embedded systems and network appliances utilizing Intel-Xway Ethernet PHYs
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23081 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23081
Vulnerability Analysis
This vulnerability falls under the category of Memory Leak, a subset of memory corruption vulnerabilities. The issue was identified through automated code review, which detected an Open Firmware (OF) node reference count leakage in the Intel-Xway PHY driver.
In the Linux kernel's device tree subsystem, each OF node maintains a reference count to track its usage. When code acquires a reference to a node (such as when checking for child nodes), it must properly release that reference using of_put_node() when finished. Failure to do so results in the reference count being incremented without a corresponding decrement, causing the node to never be freed.
The vulnerability occurs specifically when the driver checks if a 'leds' child node exists within the device tree. The code path that performs this check does not properly maintain the reference count, leading to memory leakage over time.
Root Cause
The root cause is a missing call to of_put_node() in the Intel-Xway PHY driver code path. When the driver uses functions like of_get_child_by_name() or similar OF APIs to check for the 'leds' child node, these functions increment the reference count of the returned node. The driver failed to call of_put_node() to decrement this reference count after the check was complete, resulting in orphaned references that accumulate over time.
Attack Vector
This vulnerability is primarily a reliability and stability issue rather than a direct security exploit vector. The attack potential is limited as it requires:
- Physical or administrative access to systems running the affected kernel driver
- The ability to trigger the code path that checks for the 'leds' child node
- Repeated triggering to cause meaningful resource exhaustion
The memory leak could potentially be exploited as part of a local denial of service attack by repeatedly triggering the vulnerable code path to exhaust kernel memory resources. However, the practical exploitability is low given the specific hardware and configuration requirements.
Detection Methods for CVE-2026-23081
Indicators of Compromise
- Gradual increase in kernel memory usage on systems with Intel-Xway PHY hardware
- Slab memory allocation warnings in kernel logs related to OF nodes
- System instability or slowdowns over extended uptime periods on affected devices
Detection Strategies
- Monitor kernel memory statistics using /proc/meminfo and /proc/slabinfo for unusual growth patterns
- Implement kernel memory leak detection tools such as kmemleak to identify unreleased OF node references
- Review system logs for memory allocation failures or OF-related warnings
- Use hardware inventory tools to identify systems with Intel-Xway PHY components
Monitoring Recommendations
- Set up alerting for kernel memory growth anomalies on systems with Intel-Xway PHY hardware
- Implement regular kernel log analysis for OF subsystem warnings
- Monitor system uptime correlation with memory consumption patterns
- Deploy SentinelOne's kernel-level monitoring to detect resource exhaustion conditions
How to Mitigate CVE-2026-23081
Immediate Actions Required
- Apply the kernel patches from the stable kernel git repositories immediately
- Schedule system reboots for affected systems to clear accumulated memory leaks
- Prioritize patching for network infrastructure devices using Intel-Xway PHY hardware
- Monitor affected systems for memory pressure symptoms until patches can be applied
Patch Information
The vulnerability has been resolved in the Linux kernel stable branches. The fix adds the missing of_put_node() call to properly maintain the reference count when checking for the 'leds' child node.
Patches are available from the kernel git repositories:
- Kernel Git Commit 1f24dfd556401b75f78e8d9cbd94dd9f31411c3a
- Kernel Git Commit 79912b256e14054e6ba177d7e7e631485ce23dbe
Workarounds
- If immediate patching is not possible, schedule regular reboots of affected systems to clear leaked memory
- Disable the Intel-Xway PHY driver if the hardware is not required (may impact network functionality)
- Monitor memory usage closely and implement automated restart procedures when memory thresholds are exceeded
- Consider deploying alternative PHY drivers if compatible hardware alternatives exist
# Check if your system has the Intel-Xway PHY driver loaded
lsmod | grep xway
# Monitor kernel memory for leak symptoms
watch -n 60 'cat /proc/meminfo | grep -E "Slab|SUnreclaim"'
# Check kernel version and apply updates
uname -r
# Update to patched kernel version through your distribution's package manager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
