CVE-2026-43269: Linux Kernel Memory Leak Vulnerability

CVE-2026-43269 Overview

CVE-2026-43269 is a memory leak vulnerability in the Linux kernel's drm/atmel-hlcdc Direct Rendering Manager (DRM) driver. The flaw resides in the atomic_destroy_state callback, which only releases the framebuffer reference and fails to free associated drm_crtc_commit objects. Each atomic commit through the affected code path leaks slab memory, gradually depleting kernel memory during sustained graphics workloads. Detection through kmemleak confirms unreferenced allocations originating from drm_atomic_helper_setup_commit. The issue affects systems using Atmel HLCDC display controllers, common in embedded and industrial Linux deployments.

Critical Impact

Sustained use of graphics applications on affected systems progressively exhausts kernel slab memory, leading to performance degradation and potential denial of service on long-running embedded devices.

Affected Products

• Linux kernel drm/atmel-hlcdc driver (multiple stable branches)
• Embedded Linux systems using Atmel HLCDC display controllers
• Devices running graphics workloads through the DRM atomic modesetting API

Discovery Timeline

• 2026-05-06 - CVE-2026-43269 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-43269

Vulnerability Analysis

The vulnerability is a memory leak [CWE-401] in the Atmel HLCDC DRM driver. The atomic_destroy_state callback is responsible for releasing all resources tied to a plane state when the state is destroyed. In the affected implementation, the callback only releases the framebuffer reference using a partial cleanup path. It does not invoke the standard helper that frees associated objects, including drm_crtc_commit structures allocated during drm_atomic_helper_setup_commit.

Each atomic modeset operation allocates a drm_crtc_commit object. When the plane state is destroyed without using the proper helper, those commit objects remain referenced and accumulate in the slab allocator. The kernel's kmemleak infrastructure flags these as unreferenced 64-byte allocations originating from __kmalloc_cache_noprof and drm_atomic_helper_setup_commit.

Reporters observed the leak after several hours of running graphics applications such as egt_basic, with progressive growth in slab memory consumption tied directly to the frequency of atomic commits issued via the DRM_IOCTL_MODE_SETCRTC ioctl.

Root Cause

The root cause is incomplete cleanup logic in the driver's atomic_destroy_state callback. The function manually releases the framebuffer instead of calling __drm_atomic_helper_plane_destroy_state(), which performs the full reference-count teardown for all objects attached to the plane state. The fix replaces the partial cleanup with the standard helper, ensuring all referenced objects are properly released.

Attack Vector

The vulnerability is triggered through the standard userspace DRM ioctl interface. Any local process with access to /dev/dri/card* and permission to perform modesetting can trigger repeated allocations by issuing DRM_IOCTL_MODE_SETCRTC calls. The call path observed in the leak backtrace is sys_ioctl → drm_ioctl → drm_mode_setcrtc → drm_atomic_helper_set_config → drm_atomic_commit → drm_atomic_helper_commit → drm_atomic_helper_setup_commit. No privileged operation beyond standard graphics access is required to induce the leak.

The vulnerability mechanism is described in the upstream commit messages. See the kernel commits referenced below for the source-level fix.

Detection Methods for CVE-2026-43269

Indicators of Compromise

• Steady growth of kernel slab memory on systems running graphics workloads on Atmel HLCDC hardware.
• kmemleak reports listing unreferenced 64-byte allocations with backtraces containing drm_atomic_helper_setup_commit and drm_mode_setcrtc.
• Userspace processes such as graphics or compositor applications correlating with rising kmalloc-64 slab counters in /proc/slabinfo.

Detection Strategies

• Enable CONFIG_DEBUG_KMEMLEAK on test or staging kernels to surface unreferenced drm_crtc_commit allocations during normal graphics activity.
• Monitor /proc/meminfoSlab and SReclaimable counters over extended runtime windows on devices using the atmel-hlcdc driver.
• Compare kernel build versions against the fixed commits listed in the kernel.org stable tree to confirm patch status.

Monitoring Recommendations

• Track long-term slab consumption trends on embedded fleets running Atmel SoCs and alert on sustained upward drift.
• Collect dmesg output during graphics application lifecycles to capture any out-of-memory or allocation failure events.
• Audit kernel version inventory across embedded Linux deployments to identify unpatched drm/atmel-hlcdc instances.

How to Mitigate CVE-2026-43269

Immediate Actions Required

• Inventory all systems using Atmel HLCDC display controllers and verify the running kernel version.
• Apply the upstream stable kernel updates that include the fix for the atmel-hlcdcatomic_destroy_state callback.
• Schedule reboots for long-running embedded devices once patched kernels are deployed to clear accumulated leaked memory.

Patch Information

The fix replaces the manual framebuffer release in the atomic_destroy_state callback with __drm_atomic_helper_plane_destroy_state(), ensuring all referenced objects are freed. The patch has been backported across multiple stable branches. Reference commits include Kernel Commit f1235247, Kernel Commit 082271e3, Kernel Commit 25e832a7, Kernel Commit 3e64e78f, Kernel Commit 5718d989, Kernel Commit 57fa3487, Kernel Commit 6d4e91ab, and Kernel Commit ec407020.

Workarounds

• Periodically restart graphics applications and reboot affected devices on a schedule to reclaim leaked slab memory until patches are applied.
• Restrict access to DRM device nodes (/dev/dri/card*) so that only required service accounts can issue modeset ioctls.
• Where feasible, defer or batch modeset operations in userspace to reduce the rate of drm_crtc_commit allocations on unpatched kernels.