{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23030", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.942Z", "datePublished": "2026-01-31T11:42:08.525Z", "dateUpdated": "2026-05-11T21:58:38.861Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:38.861Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\n\nThe for_each_available_child_of_node() calls of_node_put() to\nrelease child_np in each success loop. After breaking from the\nloop with the child_np has been released, the code will jump to\nthe put_child label and will call the of_node_put() again if the\ndevm_request_threaded_irq() fails. These cause a double free bug.\n\nFix by returning directly to avoid the duplicate of_node_put()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/phy/rockchip/phy-rockchip-inno-usb2.c"], "versions": [{"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31", "lessThan": "b97b2c9808c9a97e0ce30216fa12096d8b0eaa75", "status": "affected", "versionType": "git"}, {"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31", "lessThan": "ebae26dd15140b840cf65be5e1c0daee949ba70b", "status": "affected", "versionType": "git"}, {"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31", "lessThan": "027d42b97e6eb827c3438ebc09bab7efaee9270d", "status": "affected", "versionType": "git"}, {"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31", "lessThan": "efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5", "status": "affected", "versionType": "git"}, {"version": "ed2b5a8e6b98d042b323afbe177a5dc618921b31", "lessThan": "e07dea3de508cd6950c937cec42de7603190e1ca", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/phy/rockchip/phy-rockchip-inno-usb2.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.67", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.12.67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b97b2c9808c9a97e0ce30216fa12096d8b0eaa75"}, {"url": "https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b"}, {"url": "https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d"}, {"url": "https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5"}, {"url": "https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca"}], "title": "phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\n\nThe for_each_available_child_of_node() calls of_node_put() to\nrelease child_np in each success loop. After breaking from the\nloop with the child_np has been released, the code will jump to\nthe put_child label and will call the of_node_put() again if the\ndevm_request_threaded_irq() fails. These cause a double free bug.\n\nFix by returning directly to avoid the duplicate of_node_put()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nphy: rockchip: inno-usb2: Correcci\u00f3n de un error de doble liberaci\u00f3n en rockchip_usb2phy_probe()\n\nLa funci\u00f3n for_each_available_child_of_node() llama a of_node_put() para liberar child_np en cada bucle exitoso. Despu\u00e9s de salir del bucle, una vez que child_np ha sido liberado, el c\u00f3digo saltar\u00e1 a la etiqueta put_child y llamar\u00e1 a of_node_put() de nuevo si devm_request_threaded_irq() falla. Esto causa un error de doble liberaci\u00f3n.\n\nSe corrige regresando directamente para evitar la llamada duplicada a of_node_put()."}], "id": "CVE-2026-23030", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-01-31T12:16:06.313", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b97b2c9808c9a97e0ce30216fa12096d8b0eaa75"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()", "id": "2435659", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435659"}, "csaw": false, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\nThe for_each_available_child_of_node() calls of_node_put() to\nrelease child_np in each success loop. After breaking from the\nloop with the child_np has been released, the code will jump to\nthe put_child label and will call the of_node_put() again if the\ndevm_request_threaded_irq() fails. These cause a double free bug.\nFix by returning directly to avoid the duplicate of_node_put()."], "name": "CVE-2026-23030", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23030\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23030\nhttps://lore.kernel.org/linux-cve-announce/2026013120-CVE-2026-23030-9cb8@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T19:47:59.392799+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that includes the patch fixing the double free bug", "Reboot the system after the kernel update so the new image takes effect", "If a patch cannot be applied immediately, disable or remove Rockchip USB\u20112.0 PHY support in the kernel configuration to prevent the vulnerable execution path"], "summary": {"action": "Apply Patch", "impact": "Kernel memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that contain the buggy rockchip_usb2phy_probe() implementation are affected. This code resides in the generic Linux kernel source for Rockchip System\u2011on\u2011Chip support and is shipped in all distributions that provide a kernel with this PCI/USB PHY driver. The vulnerability persists until the commit that removes the redundant of_node_put() is applied, with no specific version range given.", "description_and_impact": "The double free occurs in the Rockchip USB\u20112.0 PHY driver when the probe routine calls of_node_put() twice on a device node that has already been released. The result is a classic Use\u2011After\u2011Free that can corrupt kernel memory and potentially lead to a kernel crash or, in an ideal scenario, kernel\u2010level code execution. Based on the description, it is inferred that an attacker who can influence the probe flow\u2014such as by manipulating device tree entries or forcing the driver to load\u2014can trigger the vulnerability.", "risk_and_exploitability": "The EPSS score is reported as less than 1\u202f%, and the vulnerability is not listed in CISA\u2019s KEV catalogue, indicating a low likelihood of active exploitation. No public exploits are known, and exploitation would likely require local kernel access or privilege escalation to load a module that initiates the probe routine. The impact is limited to kernel memory corruption and potential denial of service, with arbitrary code execution remaining theoretical."}}}}, "created": "2026-04-18T20:00:09.271191+00:00", "updated": "2026-04-18T20:00:09.271203+00:00", "vendors": [], "weaknesses": ["CWE-416"]}