By weakness (CWE)
CWE-401: related vulnerabilities
CVEs classified under CWE-401. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
5 published vulnerabilities
- CVE-2026-46109MEDIUM 5.5
A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.
- CVE-2026-46141MEDIUM 5.5
A memory leak vulnerability exists in the Linux kernel's PowerPC XIVE interrupt handling code. When allocating MSI-X interrupt vectors for NVMe devices, the kernel creates interrupt data structures but fails to properly clean them up when the interrupt domain is freed. This occurs because the code looks for the data in the wrong place during cleanup, causing allocated memory to be abandoned. While this is a localized memory management issue, repeated device allocation and deallocation cycles could gradually consume system memory and degrade performance.
- CVE-2026-46143MEDIUM 5.5
CVE-2026-46143 is a memory leak vulnerability in the Linux kernel's QCOM audio subsystem. The issue occurs in the ASoC (ALSA System on Chip) driver for QCOM Q6APM LPASS audio interfaces, where the prepare function can be invoked multiple times. Each invocation opens a new graph for the playback path without checking if one is already open, resulting in cumulative resource exhaustion. While the vulnerability requires local access and low-privilege execution context, the impact is availability disruption through memory exhaustion.
- CVE-2026-46147MEDIUM 5.5
A flaw in the Linux kernel's ARM64 KVM (virtualization) implementation can cause system resource leaks and expose partially initialized virtual CPU objects to concurrent access. When vCPU initialization encounters an error partway through, cleanup code fails to release pinned memory references, accumulating leak over time. Additionally, the vCPU object is published to shared state without proper synchronization barriers, risking observers seeing an incompletely initialized structure. This affects hypervisor deployments using ARM64-based KVM virtualization.
- CVE-2026-46151MEDIUM 5.5
A flaw in the Linux kernel's USB printer driver (usblp) allows a malicious or malfunctioning printer to leak uninitialized kernel memory to local users. When a printer responds to a device ID request with fewer bytes than claimed in its length header, the driver fails to zero out the remaining buffer before exposing it via sysfs or an ioctl. An attacker with local access could craft a printer (or intercept USB traffic) to trigger this and read sensitive kernel memory.