HOMEVULNERABILITIESCVE-2026-45900
NONE

CVE-2026-45900

Published: May 27, 2026· Updated: May 27, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

crypto: caam - fix netdev memory leak in dpaa2_caam_probe

When commit 0e1a4d427f58 ("crypto: caam: Unembed net_dev structure in

dpaa2") converted embedded net_device to dynamically allocated pointers,

it added cleanup in dpaa2_dpseci_disable() but missed adding cleanup in

dpaa2_dpseci_free() for error paths.

This causes memory leaks when dpaa2_dpseci_dpio_setup() fails during probe

due to DPIO devices not being ready yet. The kernel's deferred probe

mechanism handles the retry successfully, but the netdevs allocated during

the failed probe attempt are never freed, resulting in kmemleak reports

showing multiple leaked netdev-related allocations all traced back to

dpaa2_caam_probe().

Fix this by preserving the CPU mask of allocated netdevs during setup and

using it for cleanup in dpaa2_dpseci_free(). This approach ensures that

only the CPUs that actually had netdevs allocated will be cleaned up,

avoiding potential issues with CPU hotplug scenarios.

NVD Source

Technical Analysis

CVE-2026-45900 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-45900
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45900 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.