CVE-2026-46221 Overview
CVE-2026-46221 is a memory leak vulnerability in the Linux kernel's EDAC (Error Detection and Correction) subsystem, specifically in the versalnet driver. The device name allocated via kzalloc() inside init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. Because device_register() copies init_name and then sets dev->init_name to NULL, the original allocation becomes unreachable and leaks on every probe/remove cycle. The fix replaces the heap allocation with a stack-local character array, eliminating the leak entirely.
Critical Impact
Repeated probe and removal of the EDAC versalnet driver leaks kernel memory, contributing to long-term resource exhaustion on affected systems.
Affected Products
- Linux kernel versions containing the EDAC versalnet driver prior to the patched commits
- AMD/Xilinx Versal NET platforms using EDAC memory controller support
- Stable kernel branches tracked by commits 24d2912, 8cf5dd2, and b16033c
Discovery Timeline
- 2026-05-28 - CVE-2026-46221 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46221
Vulnerability Analysis
The EDAC subsystem in the Linux kernel reports hardware memory errors detected by the platform's memory controller. The versalnet driver provides this support for AMD Versal NET devices. During initialization, init_one_mc() allocates a buffer using kzalloc() to hold the device name, then assigns the pointer to dev->init_name.
The core device model treats init_name as a transient field. When device_register() runs, it copies the string into the device's permanent name storage and then sets dev->init_name = NULL. The original heap pointer is no longer referenced by any kernel data structure, so the standard removal path cannot free it. Each bind/unbind cycle of the driver therefore leaks the allocated buffer.
Root Cause
The defect is an [CWE-401] missing release of memory after effective lifetime. The driver assumed init_name retained ownership of the allocation, but the device model semantics invalidate that pointer during registration. No corresponding kfree() exists on the removal path because there is no remaining reference to free.
Attack Vector
The vulnerability requires local access to load, unload, or rebind the versalnet EDAC driver, an operation typically restricted to root. It does not enable code execution or privilege escalation. Repeated driver reload cycles, scripted hotplug events, or fault-injection testing can amplify the leak over time and reduce available kernel memory. The patched code removes the allocation entirely by using a stack-local character array passed into the device registration helper.
Detection Methods for CVE-2026-46221
Indicators of Compromise
- Growth of kmalloc-* slab caches correlated with repeated load/unload of the edac_versalnet module
- kmemleak reports referencing allocations originating in init_one_mc() within the EDAC versalnet driver
- Gradual reduction of MemAvailable in /proc/meminfo on systems that frequently rebind EDAC devices
Detection Strategies
- Enable CONFIG_DEBUG_KMEMLEAK on test kernels and scan /sys/kernel/debug/kmemleak for unreferenced allocations attributed to the EDAC versalnet driver
- Compare installed kernel build hashes against the fixed commits 24d2912962d0, 8cf5dd235eff, and b16033c8774f
- Use slabtop and /proc/slabinfo to baseline allocation counts across driver bind/unbind cycles
Monitoring Recommendations
- Track kernel memory utilization on Versal NET platforms running long-lived workloads
- Audit dmesg for repeated EDAC versalnet probe and remove events that could compound the leak
- Forward kernel telemetry to a centralized log platform to correlate memory growth with driver lifecycle events
How to Mitigate CVE-2026-46221
Immediate Actions Required
- Update affected systems to a Linux kernel containing commits 24d2912962d087ebff7c4984f8ac34a5f23c8dbf, 8cf5dd235eff6008cb04c3d8064d2acfa90616f1, or b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a
- Avoid unnecessary unbind/rebind cycles of the edac_versalnet driver until patched kernels are deployed
- Restrict module load and device hotplug operations to privileged administrators
Patch Information
The upstream fix replaces the kzalloc()-based name buffer in init_one_mc() with a stack-local char array, eliminating the leaked allocation. Patched commits are available from the stable kernel tree: Kernel Git Commit 24d2912, Kernel Git Commit 8cf5dd2, and Kernel Git Commit b16033c.
Workarounds
- Unload the edac_versalnet module on systems that do not require EDAC reporting for Versal NET hardware
- Schedule periodic reboots on systems where the patched kernel cannot yet be deployed to reclaim leaked memory
- Blacklist the driver via /etc/modprobe.d/ where EDAC functionality is not operationally required
# Configuration example
# Verify whether the EDAC versalnet driver is loaded
lsmod | grep edac_versalnet
# Temporarily unload the driver where EDAC is not required
sudo modprobe -r edac_versalnet
# Persistently blacklist the driver until a patched kernel is installed
echo 'blacklist edac_versalnet' | sudo tee /etc/modprobe.d/blacklist-edac-versalnet.conf
# Confirm running kernel version against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
