CVE-2026-43317 Overview
CVE-2026-43317 is a memory leak vulnerability in the Linux kernel's Media Oriented Systems Transport (MOST) core subsystem. The flaw resides in the early registration failure path of the MOST interface code. A prior fix addressed resource leaks on registration failures but omitted the first error path, which continues to leak resources tied to the interface. The vulnerability is classified under [CWE-401] (Missing Release of Memory after Effective Lifetime).
The issue affects Linux kernel versions including the 7.0 release candidates (rc1 through rc7). Exploitation requires local access with low privileges and can lead to denial of service through resource exhaustion.
Critical Impact
Repeated triggering of the failure path can exhaust kernel memory, degrading system stability and causing denial of service on the affected host.
Affected Products
- Linux kernel (multiple stable branches)
- Linux kernel 7.0-rc1 through 7.0-rc7
- Systems using the MOST (Media Oriented Systems Transport) driver core
Discovery Timeline
- 2026-05-08 - CVE-2026-43317 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43317
Vulnerability Analysis
The vulnerability exists in the MOST (Media Oriented Systems Transport) core driver located at drivers/most/core.c in the Linux kernel. MOST is a high-speed multimedia network technology used in automotive infotainment systems. When the kernel registers a MOST interface, several resources are allocated before the interface is fully attached to the subsystem.
An earlier patch addressed leaks along most error paths during early registration failures. However, the first error path was overlooked. When that specific failure condition triggers, the function returns without releasing the interface resources. Each failed registration attempt leaks kernel memory associated with the interface structure.
The vulnerability is tracked under [CWE-401] (Missing Release of Memory after Effective Lifetime). Impact is limited to availability, with no confidentiality or integrity consequences.
Root Cause
The root cause is an incomplete fix to a prior memory leak patch. The corrected error handling logic was applied to subsequent error paths but not to the first error branch in the registration function. The interface object allocated earlier in the function never reaches the cleanup code, so it remains allocated indefinitely.
Attack Vector
Exploitation requires local access to a system with the MOST kernel module loaded and accessible. A low-privileged local user or a malicious driver capable of triggering the failing registration path can repeatedly invoke the vulnerable code. Each invocation leaks kernel memory until system resources are exhausted, producing denial of service.
No verified public exploit is available. EPSS data indicates a very low probability of exploitation in the wild.
No verified proof-of-concept code is published for this issue. The fix is described in the official kernel commits referenced in the Kernel Git Commit Change advisory.
Detection Methods for CVE-2026-43317
Indicators of Compromise
- Steadily increasing kernel slab memory consumption visible in /proc/slabinfo without a corresponding workload increase.
- Repeated MOST driver registration failure messages in dmesg or the kernel ring buffer.
- Gradual reduction of available system memory accompanied by kmalloc allocation pressure on long-running hosts.
Detection Strategies
- Monitor kernel memory usage trends with slabtop, vmstat, and /proc/meminfo to identify unexplained growth.
- Audit loaded kernel modules with lsmod | grep most to determine exposure on production hosts.
- Compare running kernel versions to the patched commits using uname -r and vendor advisories.
Monitoring Recommendations
- Forward kernel log events containing MOST driver errors to a centralized logging or SIEM platform for correlation.
- Alert on sustained kernel memory growth that does not correlate with workload metrics.
- Track kernel package versions across the fleet and flag hosts running unpatched 7.0-rc series builds.
How to Mitigate CVE-2026-43317
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org commits to all affected systems.
- Unload the MOST module with modprobe -r most_core on systems that do not require MOST functionality.
- Restrict local access on systems where the MOST driver cannot be removed or updated immediately.
Patch Information
The Linux kernel maintainers released fixes across multiple stable branches. The relevant commits are 2c198c272f9c, 5fd4396c2e48, bbfe49ffb892, and f1ba620f9e8d. Refer to the Kernel Git Commit Change for the upstream fix. Distribution vendors will roll these patches into their stable kernel updates.
Workarounds
- Blacklist the MOST kernel modules on systems that do not use Media Oriented Systems Transport hardware.
- Limit access to local accounts and audit any process capable of triggering driver registration paths.
- Reboot long-running hosts to reclaim leaked memory until patches are deployed.
# Blacklist the MOST driver until the kernel is patched
echo "blacklist most_core" | sudo tee /etc/modprobe.d/blacklist-most.conf
sudo depmod -a
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
