CVE-2026-43397: Linux Kernel Memory Leak Vulnerability

CVE-2026-43397 Overview

CVE-2026-43397 is a memory leak vulnerability in the Linux kernel's Samsung MIPI Display Serial Interface (DSI) bridge driver (drm/bridge: samsung-dsim). The flaw resides in the samsung_dsim_host_attach() function, which fails to remove a previously added bridge when subsequent initialization steps fail. Specifically, when drm_bridge_add() succeeds but samsung_dsim_register_te_irq() or pdata->host_ops->attach() returns an error, the function returns without calling drm_bridge_remove(). Each failed attach operation leaks kernel memory associated with the bridge object.

Critical Impact

Repeated failures in the Samsung DSIM driver attach path leak kernel memory, contributing to resource exhaustion on affected Linux systems using Samsung DSI display bridges.

Affected Products

• Linux kernel versions containing the drm/bridge/samsung-dsim driver prior to the fix commits
• Systems using Samsung MIPI DSI display bridge hardware
• Distributions packaging affected stable kernel branches

Discovery Timeline

• 2026-05-08 - CVE-2026-43397 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43397

Vulnerability Analysis

The vulnerability is a memory leak [CWE-401] in the Direct Rendering Manager (DRM) bridge subsystem of the Linux kernel. The samsung_dsim_host_attach() function performs initialization in sequence: it calls drm_bridge_add() to register the bridge with the DRM core, then invokes samsung_dsim_register_te_irq() to register the Tearing Effect (TE) interrupt, and finally calls the platform-specific pdata->host_ops->attach() callback.

If any step after drm_bridge_add() fails, the function returns the error code directly. The added bridge is never removed, and resources allocated for it remain referenced by the DRM core. The TE IRQ handler can also remain registered if the platform attach callback fails after IRQ registration, leaving a partially initialized driver state.

The issue affects kernel memory management in long-running systems that exercise the attach path repeatedly, such as during probe retries triggered by deferred device dependencies.

Root Cause

The root cause is missing cleanup logic in the error paths of samsung_dsim_host_attach(). The function lacks goto-based unwinding to reverse successful initialization steps when a later step fails. The fix introduces structured error labels that call drm_bridge_remove() and samsung_dsim_unregister_te_irq() as appropriate. The samsung_dsim_unregister_te_irq() function was also relocated above samsung_dsim_host_attach() to avoid a forward declaration.

Attack Vector

The attack vector requires local conditions that cause the attach sequence to fail after drm_bridge_add() succeeds. A local attacker with the ability to trigger driver re-probing, or environmental conditions producing repeated probe failures, can amplify the leak. The vulnerability does not provide direct code execution or privilege escalation. Impact is limited to kernel memory exhaustion over time.

No public proof-of-concept exploit is referenced for this issue. The fix is distributed across kernel stable commits 0b07f7d2, 803ec1fa, 98310fe3, a40b92fb, and e6d77965.

Detection Methods for CVE-2026-43397

Indicators of Compromise

• Steady growth in kernel slab allocations associated with drm_bridge objects without a corresponding workload increase
• Repeated samsung-dsim probe failure messages in dmesg referencing TE IRQ registration or platform attach errors
• Unexplained reduction in available kernel memory on devices using Samsung DSI display bridges

Detection Strategies

• Monitor /proc/slabinfo for sustained growth in DRM bridge-related slab caches on systems with Samsung DSI hardware
• Audit kernel logs for recurring samsung_dsim_host_attach error returns that indicate the vulnerable code path is being exercised
• Compare running kernel version against the patched stable releases referenced in the upstream commits

Monitoring Recommendations

• Track kernel memory usage trends with telemetry tools and alert on abnormal growth over time
• Capture and aggregate dmesg output centrally to identify systems repeatedly hitting samsung-dsim probe failures
• Inventory Linux endpoints that load the samsung-dsim module and prioritize them for patch verification

How to Mitigate CVE-2026-43397

Immediate Actions Required

• Update affected Linux kernels to a stable release containing one of the fix commits: 0b07f7d2, 803ec1fa, 98310fe3, a40b92fb, or e6d77965
• Verify distribution kernel package versions against vendor advisories for the samsung-dsim fix
• Reboot systems after applying the updated kernel to load the patched driver

Patch Information

The upstream Linux kernel fix adds error-handling labels in samsung_dsim_host_attach() to ensure drm_bridge_remove() is called in all failure paths and that samsung_dsim_unregister_te_irq() is invoked when the attach callback fails after IRQ registration. Patch details are available in the upstream commits: Kernel Git Commit 0b07f7d, Kernel Git Commit 803ec1fa, Kernel Git Commit 98310fe3, Kernel Git Commit a40b92fb, and Kernel Git Commit e6d77965.

Workarounds

• Avoid configurations that trigger repeated samsung-dsim probe failures, such as misconfigured device trees referencing missing TE IRQ resources
• Blacklist the samsung-dsim module on systems that do not require Samsung DSI display output until the patched kernel is deployed
• Schedule periodic reboots on affected long-running embedded systems to reclaim leaked kernel memory until patching is complete