CVE-2026-52904 Overview
CVE-2026-52904 is a memory leak vulnerability in the Linux kernel's drm/nouveau graphics driver. The flaw resides in the probe error-handling path when aperture_remove_conflicting_pci_devices() fails. In that path, the driver returns directly without unwinding the nvkm_device allocated by nvkm_device_pci_new(), leaking both the device wrapper and the pci_enable_device() reference held inside it.
The issue affects systems using NVIDIA GPUs with the open-source nouveau driver on affected Linux kernel builds. Repeated probe failures can result in cumulative kernel memory consumption and PCI reference imbalances.
Critical Impact
Repeated driver probe failures leak nvkm_device allocations and pci_enable_device() references, contributing to kernel resource exhaustion on affected systems.
Affected Products
- Linux kernel builds containing the regressed drm/nouveau probe path prior to the fix commits
- Systems using the nouveau driver with NVIDIA PCI GPUs
- Distributions shipping the affected stable kernel series referenced in the upstream commits
Discovery Timeline
- 2026-06-09 - CVE-2026-52904 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-52904
Vulnerability Analysis
The vulnerability is a kernel memory leak [CWE-401] in the nouveau DRM driver probe routine. During device initialization, nvkm_device_pci_new() allocates and prepares an nvkm_device structure and calls pci_enable_device() internally. The driver then calls aperture_remove_conflicting_pci_devices() to evict any earlier framebuffer or device claiming the same PCI BARs.
When aperture_remove_conflicting_pci_devices() returns an error, the original code returns directly from probe. This skips the teardown that would normally release the nvkm_device allocation and drop the PCI enable reference. As a result, both the wrapper structure and the underlying PCI reference remain held for the lifetime of the kernel.
The regression was introduced when an intermediate nvkm_device_del() call between detection and aperture removal was dropped to consolidate PCI device creation into a single step. The fix redirects the error path to jump to the existing fail_nvkm label so nvkm_device_del() runs and balances both allocations.
Root Cause
The root cause is an incomplete error-handling path in the nouveau probe function. A return statement on the aperture removal failure branch bypasses cleanup code that releases the nvkm_device and the PCI enable reference taken inside nvkm_device_pci_new().
Attack Vector
The issue is reachable only through driver probe failures, which typically require local access, hardware interaction, or repeated module load and unload operations. There is no remote attack vector and no privilege escalation path identified. The practical impact is resource leakage rather than direct compromise. EPSS data indicates very low real-world exploitation likelihood.
The vulnerability is described in prose because no exploitation code is applicable. Refer to the upstream patch commits for the exact code paths and fix logic.
Detection Methods for CVE-2026-52904
Indicators of Compromise
- Repeated nouveau probe failure messages in kernel logs paired with growing slab usage attributable to nouveau or nvkm allocations
- Persistent PCI device enable reference counts on NVIDIA GPUs after failed driver loads
- Increasing kmalloc accounting for nvkm-related caches across module load and unload cycles
Detection Strategies
- Compare installed kernel package versions against the fix commits referenced in the kernel.org stable tree to identify unpatched hosts
- Monitor dmesg for nouveau probe errors immediately followed by aperture_remove_conflicting_pci_devices failures
- Track kernel memory growth using /proc/slabinfo and kmemleak reports on long-running systems with GPU hardware
Monitoring Recommendations
- Enable CONFIG_DEBUG_KMEMLEAK on test systems to surface unfreed nvkm_device allocations during probe-failure scenarios
- Centralize kernel log collection and alert on recurring nouveau initialization failures across the fleet
- Track per-host kernel slab growth over time and correlate with driver load events
How to Mitigate CVE-2026-52904
Immediate Actions Required
- Apply vendor kernel updates that include the upstream nouveau fix commits referenced in the kernel.org stable tree
- Inventory Linux hosts using NVIDIA GPUs with the nouveau driver and prioritize patching for systems running unattended workloads
- Reboot affected systems after patching to ensure the corrected probe path is loaded
Patch Information
Fixes are available in the upstream Linux kernel through the following stable commits: 4404d7d2dda4, 5edd564ccb00, 6597ff1d8de3, and 843c0247cf21. The patches redirect the failure path to the existing fail_nvkm label so that nvkm_device_del() correctly unwinds the allocated device and PCI reference.
Workarounds
- Blacklist the nouveau driver on systems where it is not required, using modprobe.d configuration to prevent the affected probe path from executing
- Switch to the proprietary NVIDIA driver on systems with hardware support, eliminating the nouveau code path entirely
- Avoid repeated module load and unload cycles of nouveau on unpatched systems to limit cumulative leakage
# Configuration example: blacklist nouveau until kernel is patched
echo "blacklist nouveau" | sudo tee /etc/modprobe.d/blacklist-nouveau.conf
echo "options nouveau modeset=0" | sudo tee -a /etc/modprobe.d/blacklist-nouveau.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
