CVE-2026-23464 Overview
A memory leak vulnerability has been identified in the Linux kernel's Microchip PolarFire SoC (MPFS) system controller driver. The flaw exists in the mpfs_sys_controller_probe() function, where allocated memory for the sys_controller structure is not properly freed when of_get_mtd_device_by_node() fails, leading to a memory leak condition.
Critical Impact
Repeated triggering of this vulnerability could lead to kernel memory exhaustion, potentially causing system instability or denial of service conditions on affected Linux systems running Microchip PolarFire SoC hardware.
Affected Products
- Linux kernel with Microchip PolarFire SoC (MPFS) system controller driver enabled
- Systems utilizing the soc/microchip/mpfs driver component
- Embedded systems and devices based on Microchip PolarFire SoC architecture
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23464 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23464
Vulnerability Analysis
This vulnerability is classified as a Memory Leak in the Linux kernel's Microchip MPFS system controller driver. The issue occurs during the device probe sequence when error handling paths fail to properly deallocate previously allocated kernel memory.
When the mpfs_sys_controller_probe() function allocates memory for the sys_controller structure and subsequently encounters a failure in of_get_mtd_device_by_node(), the function returns immediately without executing the necessary cleanup code. This results in orphaned kernel memory that cannot be reclaimed, constituting a kernel memory leak.
The vulnerability also affects error handling for mbox_request_channel() failures, where similar improper cleanup behavior was observed. Over time, repeated probe failures could accumulate leaked memory, potentially exhausting available kernel memory resources.
Root Cause
The root cause is improper error handling in the mpfs_sys_controller_probe() function. When of_get_mtd_device_by_node() fails, the function contains a direct return statement that bypasses the out_free cleanup label. This violates the established error handling pattern in the kernel where allocated resources must be freed before returning from a function on failure paths.
The fix consolidates error handling by ensuring all failure paths jump to the out_free label, which properly deallocates the sys_controller memory before returning the error code.
Attack Vector
The attack vector for this vulnerability is primarily local in nature. An attacker with the ability to trigger repeated probe cycles of the MPFS system controller driver could potentially exhaust kernel memory over time. This could be achieved through:
- Manipulating device tree configurations to cause repeated probe failures
- Triggering module load/unload cycles on affected systems
- Exploiting race conditions during device initialization
While direct exploitation for code execution is unlikely, the memory exhaustion could lead to denial of service conditions affecting system availability.
Detection Methods for CVE-2026-23464
Indicators of Compromise
- Unexplained kernel memory growth over time on systems using Microchip PolarFire SoC
- Repeated error messages related to of_get_mtd_device_by_node() failures in kernel logs
- Memory allocation failures or OOM (Out of Memory) conditions without corresponding user-space memory pressure
Detection Strategies
- Monitor kernel memory statistics using /proc/meminfo for unexpected slab cache growth
- Enable kernel memory debugging options such as CONFIG_DEBUG_KMEMLEAK to detect memory leaks
- Review dmesg output for MPFS system controller probe failure messages
- Implement automated alerting on kernel memory consumption anomalies
Monitoring Recommendations
- Configure memory monitoring tools to track kernel slab allocations over time
- Set up alerts for systems approaching memory exhaustion thresholds
- Enable kernel memory leak detection during development and testing phases
- Regularly review system logs for patterns indicating repeated driver probe failures
How to Mitigate CVE-2026-23464
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix commits
- Review systems running Microchip PolarFire SoC for signs of memory exhaustion
- Consider temporarily disabling the MPFS system controller driver if not required
- Monitor affected systems for memory consumption anomalies until patches are applied
Patch Information
The Linux kernel maintainers have released patches addressing this memory leak. The fix ensures proper memory deallocation by directing all error paths to the out_free label. Multiple patch commits are available:
- Linux Kernel Commit 17c84fb7cf39
- Linux Kernel Commit 5a741f8cc6fe
- Linux Kernel Commit da4b44c42f40
- Linux Kernel Commit e3dd5cffba07
Apply the appropriate patch for your kernel version from the stable kernel trees.
Workarounds
- If the MPFS system controller functionality is not required, disable the driver by blacklisting the module
- Implement system restart schedules to periodically reclaim leaked memory on production systems
- Monitor and alert on memory thresholds to trigger manual intervention before exhaustion occurs
# Blacklist the MPFS system controller driver if not needed
echo "blacklist mpfs_sys_controller" >> /etc/modprobe.d/blacklist.conf
# Verify module is not loaded
lsmod | grep mpfs
# Monitor kernel memory usage
cat /proc/meminfo | grep -E "MemFree|Slab|SUnreclaim"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
