CVE-2026-53261 Overview
CVE-2026-53261 is a memory leak vulnerability in the Linux kernel's devlink subsystem. The flaw resides in how the kernel handles nested relation state during devlink instance teardown. Normally, devl_unregister() invokes devlink_rel_put() to release relation state. However, this path is skipped when a devlink instance acquires a nested relation before registration and then fails probe before devl_register() runs.
This condition occurs with Subfunctions (SFs), where a child devlink links to its parent prior to registration. A subsequent probe error calls devlink_free() directly, leaking devlink->rel because devl_unregister() is never invoked. The fix releases any pending relation from devlink_free() as well.
Critical Impact
Repeated probe failures on devlink-managed devices can exhaust kernel memory through leaked nested relation state, degrading host stability over time.
Affected Products
- Linux kernel versions containing the devlink nested relation code path prior to the fix
- Systems using Subfunctions (SFs) on devlink-capable network devices
- Distributions shipping kernels referenced by the stable patch commits
Discovery Timeline
- 2026-06-25 - CVE-2026-53261 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53261
Vulnerability Analysis
The Linux kernel devlink subsystem exposes a unified interface for managing network device parameters, ports, and Subfunctions. Each devlink instance can participate in a nested relation, where a child devlink links to a parent devlink. The relation state is tracked through the devlink->rel field.
Under normal operation, the kernel releases relation state when an instance is unregistered. The function devl_unregister() calls devlink_rel_put() to drop the reference. The defect arises in a specific lifecycle window: an instance can acquire a nested relation before it is registered. If probe fails after the relation is established but before devl_register() completes, the driver path calls devlink_free() directly and bypasses devl_unregister() entirely.
The practical impact is a kernel memory leak each time this probe-failure sequence repeats. Drivers that instantiate SFs and encounter transient errors during initialization can leak relation objects without bound. This degrades host stability over long uptimes and may serve as a primitive for resource exhaustion on multi-tenant systems running many SFs.
Root Cause
The root cause is incomplete cleanup in the unregistered-instance teardown path. The devlink_free() function did not release devlink->rel, relying on devl_unregister() to handle that responsibility. Instances that never reached registration retained their relation reference at free time.
Attack Vector
Triggering the leak requires the ability to cause probe failures on devlink-managed devices with nested relations, typically SFs. The flaw is local in nature and does not provide code execution or privilege escalation. Persistent triggering of failed SF creation results in cumulative kernel memory loss.
The vulnerability mechanism is described in the upstream commit messages. See the Kernel Patch Commit 11324d5 and related stable backports for the exact code changes.
Detection Methods for CVE-2026-53261
Indicators of Compromise
- Steady, unexplained growth in kernel slab allocations associated with the devlink subsystem on hosts that repeatedly create and tear down Subfunctions
- dmesg entries showing repeated SF probe failures followed by devlink_free() invocations without matching unregister events
- Reduced MemAvailable over time on hosts running heavy devlink workloads with no corresponding user-space memory growth
Detection Strategies
- Compare running kernel version against the fixed commits referenced by the stable tree to determine exposure
- Monitor slabtop output for unbounded growth in devlink-related caches during SF churn
- Correlate driver probe-failure log lines with longitudinal kernel memory metrics to identify the leak signature
Monitoring Recommendations
- Collect /proc/meminfo and /proc/slabinfo at regular intervals and alert on sustained drift
- Track devlink lifecycle events through the kernel audit subsystem or ftrace when running SF-heavy workloads
- Centralize host telemetry to identify nodes accumulating leaks faster than their peers
How to Mitigate CVE-2026-53261
Immediate Actions Required
- Inventory hosts running kernels that predate the four stable commits referenced in the advisory
- Apply the upstream kernel update from your distribution maintainer as soon as it is available
- Reduce SF churn on unpatched hosts to limit the rate of leak accumulation until patching completes
Patch Information
The fix releases any pending nested relation from devlink_free() in addition to devl_unregister(). The registered path is unchanged because devl_unregister() already clears devlink->rel before devlink_free() runs. Stable kernel backports are available in the following commits:
- Kernel Patch Commit 11324d5
- Kernel Patch Commit 3522b21
- Kernel Patch Commit 927f968
- Kernel Patch Commit a913728
Workarounds
- Restart hosts periodically to reclaim leaked relation state when patching cannot be performed immediately
- Address the underlying cause of SF probe failures in driver configuration to avoid triggering the leak path
- Restrict creation of Subfunctions on affected hosts to privileged administrators only
# Verify the running kernel version against fixed stable releases
uname -r
# Inspect devlink-related slab usage to baseline memory behavior
sudo grep -i devlink /proc/slabinfo
# Review recent devlink and SF probe events for failure patterns
sudo dmesg | grep -iE 'devlink|subfunction|sf'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

