{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23015", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.940Z", "datePublished": "2026-01-31T11:38:57.983Z", "dateUpdated": "2026-05-11T21:58:21.315Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:21.315Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths\n\nThe reference obtained by calling usb_get_dev() is not released in the\ngpio_mpsse_probe() error paths. Fix that by using device managed helper\nfunctions. Also remove the usb_put_dev() call in the disconnect function\nsince now it will be released automatically."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpio/gpio-mpsse.c"], "versions": [{"version": "c46a74ff05c0ac76ba11ef21c930c3b447abf31a", "lessThan": "7ea26e6dcabc270433b6ded2a1aee85b215d1b28", "status": "affected", "versionType": "git"}, {"version": "c46a74ff05c0ac76ba11ef21c930c3b447abf31a", "lessThan": "1e876e5a0875e71e34148c9feb2eedd3bf6b2b43", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpio/gpio-mpsse.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7ea26e6dcabc270433b6ded2a1aee85b215d1b28"}, {"url": "https://git.kernel.org/stable/c/1e876e5a0875e71e34148c9feb2eedd3bf6b2b43"}], "title": "gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D6ADF96-8AFA-4C09-9113-77886A8371EC", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths\n\nThe reference obtained by calling usb_get_dev() is not released in the\ngpio_mpsse_probe() error paths. Fix that by using device managed helper\nfunctions. Also remove the usb_put_dev() call in the disconnect function\nsince now it will be released automatically."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ngpio: mpsse: corregir fuga de referencia en las rutas de error de gpio_mpsse_probe()\n\nLa referencia obtenida al llamar a usb_get_dev() no se libera en las rutas de error de gpio_mpsse_probe(). Corregir eso utilizando funciones auxiliares gestionadas por el dispositivo. Tambi\u00e9n eliminar la llamada a usb_put_dev() en la funci\u00f3n de desconexi\u00f3n ya que ahora se liberar\u00e1 autom\u00e1ticamente."}], "id": "CVE-2026-23015", "lastModified": "2026-03-25T18:11:59.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-31T12:16:04.797", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1e876e5a0875e71e34148c9feb2eedd3bf6b2b43"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7ea26e6dcabc270433b6ded2a1aee85b215d1b28"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths", "id": "2435650", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435650"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23015", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23015\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23015\nhttps://lore.kernel.org/linux-cve-announce/2026013135-CVE-2026-23015-8d01@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T14:27:26.514295+00:00", "value": {"mitigation_remediation": ["Install a Linux kernel update that includes the MPSSE reference\u2011leak patch (e.g., any release newer than 6.13 or 6.19 RC8).", "If an update is not immediately available, unload the mpsse driver and prevent it from loading at boot by blacklisting the module or removing its init script.", "Restart the system after applying the changes to clear any accumulated references and ensure the driver is no longer active."], "summary": {"action": "Patch", "impact": "Denial of Service via Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "Linux kernel versions 6.13 and 6.19 (release candidates 1 through 8) are affected. The issue exists in the gpio-mpsse driver that is compiled into these kernel releases. Users running these kernel versions with MPSSE-enabled USB devices are exposed.", "description_and_impact": "A reference leak in the Linux kernel\u2019s MPSSE GPIO driver occurs when usb_get_dev() is called during device probe but not released on error paths. The missing usb_put_dev() causes the USB device reference to accumulate, potentially exhausting kernel references and leading to system instability or denial of service. This flaw is a kernel resource management weakness that can be categorized as a reference or memory leak.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS probability is below 1\u202f%, and the vulnerability is not listed in the CISA KEV catalog, suggesting low likelihood of widespread exploitation. An attacker would need physical or local access to the target system to trigger the probe error path, typically by connecting a USB MPSSE device or causing a probe failure. If the bug is repeatedly exercised, it could degrade performance or crash the kernel, but remote exploitation without local access is not indicated."}}}}, "created": "2026-04-18T14:30:02.944859+00:00", "updated": "2026-04-18T14:30:02.944870+00:00", "vendors": []}