Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: gpio: Fix resource leaks on errors in gpiochip_add_data_with_key() Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"), `gdev->dev.release` is unset. As a result, the reference count to `gdev->dev` isn't dropped on the error handling paths. Drop the reference on errors. Also reorder the instructions to make the error handling simpler. Now gpiochip_add_data_with_key() roughly looks like: >>> Some memory allocation. Go to ERR ZONE 1 on errors. >>> device_initialize(). gpiodev_release() takes over the responsibility for freeing the resources of `gdev->dev`. The subsequent error handling paths shouldn't go through ERR ZONE 1 again which leads to double free. >>> Some initialization mainly on `gdev`. >>> The rest of initialization. Go to ERR ZONE 2 on errors. >>> Chip registration success and exit. >>> ERR ZONE 2. gpio_device_put() and exit. >>> ERR ZONE 1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 6.9, < 6.18.22 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/16fdabe143fce2cbf89139677728e17e21b46c28Patch
- https://git.kernel.org/stable/c/f0cf9c7b7c281956cc0dec163132cd96f76e1d60Patch
- https://git.kernel.org/stable/c/fb4584d2b324c522404c733c65840a1a6519ada8Patch
FAQ
What is CVE-2026-31732?
CVE-2026-31732 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: gpio: Fix resource leaks on errors in gpiochip_add_data_with_key() Since commit aab5c6f20023 ("gpio: set device type for GPIO chip...
How severe is CVE-2026-31732?
CVE-2026-31732 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31732?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.