Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53261

CVE-2026-53261: Linux Kernel Devlink Memory Leak Flaw

CVE-2026-53261 is a memory leak vulnerability in the Linux kernel devlink subsystem where nested relations aren't released on probe failures. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-53261 Overview

CVE-2026-53261 is a memory leak vulnerability in the Linux kernel's devlink subsystem. The flaw resides in how the kernel handles nested relation state during devlink instance teardown. Normally, devl_unregister() invokes devlink_rel_put() to release relation state. However, this path is skipped when a devlink instance acquires a nested relation before registration and then fails probe before devl_register() runs.

This condition occurs with Subfunctions (SFs), where a child devlink links to its parent prior to registration. A subsequent probe error calls devlink_free() directly, leaking devlink->rel because devl_unregister() is never invoked. The fix releases any pending relation from devlink_free() as well.

Critical Impact

Repeated probe failures on devlink-managed devices can exhaust kernel memory through leaked nested relation state, degrading host stability over time.

Affected Products

  • Linux kernel versions containing the devlink nested relation code path prior to the fix
  • Systems using Subfunctions (SFs) on devlink-capable network devices
  • Distributions shipping kernels referenced by the stable patch commits

Discovery Timeline

  • 2026-06-25 - CVE-2026-53261 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53261

Vulnerability Analysis

The Linux kernel devlink subsystem exposes a unified interface for managing network device parameters, ports, and Subfunctions. Each devlink instance can participate in a nested relation, where a child devlink links to a parent devlink. The relation state is tracked through the devlink->rel field.

Under normal operation, the kernel releases relation state when an instance is unregistered. The function devl_unregister() calls devlink_rel_put() to drop the reference. The defect arises in a specific lifecycle window: an instance can acquire a nested relation before it is registered. If probe fails after the relation is established but before devl_register() completes, the driver path calls devlink_free() directly and bypasses devl_unregister() entirely.

The practical impact is a kernel memory leak each time this probe-failure sequence repeats. Drivers that instantiate SFs and encounter transient errors during initialization can leak relation objects without bound. This degrades host stability over long uptimes and may serve as a primitive for resource exhaustion on multi-tenant systems running many SFs.

Root Cause

The root cause is incomplete cleanup in the unregistered-instance teardown path. The devlink_free() function did not release devlink->rel, relying on devl_unregister() to handle that responsibility. Instances that never reached registration retained their relation reference at free time.

Attack Vector

Triggering the leak requires the ability to cause probe failures on devlink-managed devices with nested relations, typically SFs. The flaw is local in nature and does not provide code execution or privilege escalation. Persistent triggering of failed SF creation results in cumulative kernel memory loss.

The vulnerability mechanism is described in the upstream commit messages. See the Kernel Patch Commit 11324d5 and related stable backports for the exact code changes.

Detection Methods for CVE-2026-53261

Indicators of Compromise

  • Steady, unexplained growth in kernel slab allocations associated with the devlink subsystem on hosts that repeatedly create and tear down Subfunctions
  • dmesg entries showing repeated SF probe failures followed by devlink_free() invocations without matching unregister events
  • Reduced MemAvailable over time on hosts running heavy devlink workloads with no corresponding user-space memory growth

Detection Strategies

  • Compare running kernel version against the fixed commits referenced by the stable tree to determine exposure
  • Monitor slabtop output for unbounded growth in devlink-related caches during SF churn
  • Correlate driver probe-failure log lines with longitudinal kernel memory metrics to identify the leak signature

Monitoring Recommendations

  • Collect /proc/meminfo and /proc/slabinfo at regular intervals and alert on sustained drift
  • Track devlink lifecycle events through the kernel audit subsystem or ftrace when running SF-heavy workloads
  • Centralize host telemetry to identify nodes accumulating leaks faster than their peers

How to Mitigate CVE-2026-53261

Immediate Actions Required

  • Inventory hosts running kernels that predate the four stable commits referenced in the advisory
  • Apply the upstream kernel update from your distribution maintainer as soon as it is available
  • Reduce SF churn on unpatched hosts to limit the rate of leak accumulation until patching completes

Patch Information

The fix releases any pending nested relation from devlink_free() in addition to devl_unregister(). The registered path is unchanged because devl_unregister() already clears devlink->rel before devlink_free() runs. Stable kernel backports are available in the following commits:

Workarounds

  • Restart hosts periodically to reclaim leaked relation state when patching cannot be performed immediately
  • Address the underlying cause of SF probe failures in driver configuration to avoid triggering the leak path
  • Restrict creation of Subfunctions on affected hosts to privileged administrators only
bash
# Verify the running kernel version against fixed stable releases
uname -r

# Inspect devlink-related slab usage to baseline memory behavior
sudo grep -i devlink /proc/slabinfo

# Review recent devlink and SF probe events for failure patterns
sudo dmesg | grep -iE 'devlink|subfunction|sf'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.