CVE-2026-46030 Overview
CVE-2026-46030 is a memory leak vulnerability in the Linux kernel's EDAC (Error Detection And Correction) subsystem, specifically in the versalnet driver. The flaw resides in the mc_probe() function, where of_parse_phandle() returns a device_node reference that the original code never released. The r5_core_node variable remained unfreed on every exit path, leaking kernel memory each time the probe function executed. The fix applies the automatic cleanup attribute __free(device_node), which guarantees of_node_put() is called when the variable goes out of scope.
Critical Impact
Repeated invocation of the affected probe path can exhaust kernel memory over time, degrading system stability on AMD Versal NET platforms running affected Linux kernel builds.
Affected Products
- Linux kernel builds containing the EDAC versalnet driver prior to the referenced fix commits
- Stable kernel branches receiving backports identified by commits 17e1369, 5c709b3, and b6e6135
- Systems based on AMD Versal NET adaptive SoCs using the EDAC memory controller driver
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-46030 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46030
Vulnerability Analysis
The vulnerability is a kernel memory leak [CWE-401] in the EDAC versalnet memory controller driver. The mc_probe() function calls of_parse_phandle() to obtain a reference to the r5_core_node device tree node. According to the Linux device tree API contract, every device_node reference acquired via of_parse_phandle() must be released by a matching call to of_node_put(). The original implementation omitted this release call on every exit path, including both success and error returns.
Each probe invocation therefore increments the reference count on the corresponding device tree node without a counterbalancing decrement. The node and its associated kernel structures remain pinned in memory until the system reboots. While a single leak is small, repeated probe events — for example through driver reload cycles or hotplug operations — accumulate and waste kernel slab memory.
The maintainers fixed the issue by declaring the variable with the scope-based cleanup attribute __free(device_node). The compiler now emits an automatic of_node_put() call when the variable leaves scope, eliminating the leak on every return path without manual goto-based cleanup.
Root Cause
The root cause is missing reference counting hygiene. The of_parse_phandle() helper transfers ownership of a reference to the caller, but the original mc_probe() implementation treated the returned pointer as a borrowed reference. No of_node_put() call existed on any control flow path through the function.
Attack Vector
This is a local resource management defect rather than a directly exploitable security flaw. Triggering the leak requires the affected versalnet EDAC driver to be probed on hardware that matches its device tree binding. An unprivileged remote attacker cannot reach this code path. The vulnerability is described in prose only because no public proof-of-concept exists, and the upstream commits referenced in the Kernel Git Commit 17e1369, Kernel Git Commit 5c709b3, and Kernel Git Commit b6e6135 provide the authoritative technical detail.
Detection Methods for CVE-2026-46030
Indicators of Compromise
- Growing kernel slab usage attributable to kmalloc-* caches associated with device tree node allocations on AMD Versal NET systems.
- Repeated EDAC versalnet probe messages in dmesg correlated with rising Slab values in /proc/meminfo.
Detection Strategies
- Audit running kernel versions against the patched commit hashes 17e1369, 5c709b3, and b6e6135 to identify unpatched hosts.
- Use kmemleak (CONFIG_DEBUG_KMEMLEAK=y) on test systems to confirm leaked allocations originating from of_parse_phandle() within mc_probe().
- Track Slab and SReclaimable trends in /proc/meminfo over driver reload cycles on Versal NET hardware.
Monitoring Recommendations
- Forward kernel logs and memory telemetry from Linux fleets to a centralized analytics platform for long-term trend analysis.
- Alert on sustained kernel memory growth on embedded and SoC platforms where the EDAC subsystem loads at boot.
- Include kernel patch level in asset inventory so out-of-date builds carrying this fix gap are visible to security operations.
How to Mitigate CVE-2026-46030
Immediate Actions Required
- Upgrade affected Linux kernels to a version that includes commits 17e136993b2b, 5c709b376460, or b6e61356ad24 from the upstream stable tree.
- Identify hosts running the EDAC versalnet driver by inspecting loaded modules with lsmod | grep versalnet and prioritize their patching.
- Schedule reboots after kernel package updates to ensure the patched driver is active in memory.
Patch Information
The fix is delivered through three upstream stable kernel commits: Kernel Git Commit 17e1369, Kernel Git Commit 5c709b3, and Kernel Git Commit b6e6135. The patches replace the manually managed device_node reference with the scope-based __free(device_node) cleanup attribute, ensuring of_node_put() is invoked on every exit path from mc_probe(). Apply distribution-provided kernel updates that incorporate these commits.
Workarounds
- Blacklist the versalnet_edac module on systems where EDAC functionality is not required, preventing the leaking probe path from executing.
- Avoid repeated driver unload and reload cycles on affected hardware until patched kernels are deployed, limiting accumulation of leaked references.
# Configuration example: blacklist the affected EDAC driver until patched
echo "blacklist versalnet_edac" | sudo tee /etc/modprobe.d/blacklist-versalnet-edac.conf
sudo update-initramfs -u
# Verify the patched commit is present in the running kernel source tree
git log --oneline | grep -E "17e1369|5c709b3|b6e6135"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
