CVE-2026-46221: Linux Kernel EDAC Versalnet Memory Leak Vulnerability
A memory leak exists in the Linux kernel's EDAC (Error Detection and Correction) versalnet driver. When the driver initializes memory controller devices, it allocates memory for a device name string but fails to properly free it during normal driver removal. The kernel's device registration process copies the name internally and then loses track of the original allocation, leaving orphaned memory that cannot be reclaimed. This gradually consumes system memory over repeated device initialization and removal cycles.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: EDAC/versalnet: Fix device name memory leak The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory. Use a stack-local char array instead of using kzalloc() for name.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46221 is a memory leak vulnerability in the EDAC versalnet driver's init_one_mc() function. The vulnerability occurs because kzalloc() allocates memory for a device name that is assigned to dev->init_name. While device_register() correctly copies this name to its own internal storage and nullifies dev->init_name, the original kzalloc() allocation becomes unreachable and is never freed. This is a classic CWE-401 (Missing Release of Memory after Effective Lifetime) issue. The fix involves replacing the dynamic allocation with a stack-allocated character array, eliminating the need for manual memory management in this code path.
Business impact
Memory leaks in kernel drivers can degrade system stability and performance over extended operation, particularly in production environments where EDAC functionality is actively monitoring memory errors on specialized hardware. For systems relying on EDAC versalnet (commonly found in Xilinx Zynq UltraScale+ and Versal FPGA platforms), repeated driver initialization cycles could lead to gradual memory exhaustion, eventual out-of-memory conditions, and potential system hangs or crashes. This is a reliability concern rather than a direct security breach, but affects availability and operational continuity.
Affected systems
The vulnerability affects the Linux kernel across all maintained versions that include the EDAC versalnet driver. This driver is specific to Xilinx Versal and Zynq UltraScale+ FPGA platforms. Affected systems include embedded Linux deployments on these Xilinx platforms where memory error detection and correction functionality is in use. Standard x86/x64 and ARM servers without Xilinx FPGA hardware are not affected.
Exploitability
This vulnerability cannot be exploited for privilege escalation, code execution, or information disclosure. Exploitation requires local access and the ability to trigger repeated device initialization and removal cycles (typically through module loading/unloading or device hotplug operations). The impact is limited to memory exhaustion—a denial-of-service condition that affects system reliability rather than security posture. CVSS 3.1 score of 5.5 (MEDIUM) reflects the local requirement and availability impact without confidentiality or integrity implications.
Remediation
Apply kernel updates that include the fix to replace kzalloc() with a stack-allocated character array in the EDAC versalnet driver's init_one_mc() function. Verify the patch against your kernel version's official advisory, as fix versions vary by kernel branch. For systems unable to update immediately, limit the frequency of device initialization/removal cycles and monitor system memory consumption on affected hardware platforms to detect early signs of memory pressure.
Patch guidance
Consult the Linux kernel's official security advisories and your distribution's kernel update mechanism (e.g., apt, yum, dnf) for the specific patch version addressing CVE-2026-46221. Stable and longterm kernel branches will have corresponding fixes—verify the patch commit hash and apply through your standard kernel update process. Recompilation from source may be necessary for embedded or specialized deployments. Test thoroughly in a non-production environment before rolling out to production FPGA systems.
Detection guidance
Monitor kernel memory allocation patterns on systems running the affected EDAC versalnet driver using tools such as kmemleak (if enabled in the kernel configuration) or memory profilers like valgrind in controlled test environments. Track system memory usage over time during repeated driver initialization cycles. Examine kernel logs for signs of memory pressure, OOM killer invocation, or repeated allocation failures. Baseline memory consumption after driver load and compare against expectations; anomalous growth suggests the leak is active.
Why prioritize this
Although this is a MEDIUM-severity vulnerability with limited exploitability, it should be prioritized for systems actively using Xilinx FPGA platforms with EDAC versalnet functionality in production environments where uptime and stability are critical. The memory leak is progressive and may manifest only after extended operation or many device cycles, making it less immediately obvious but nonetheless degrading system reliability over time. Organizations running such specialized hardware should treat this as a standard maintenance update.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM, vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects a local attack vector, low complexity, requirement for local privileges, and high impact on availability (memory exhaustion) with no confidentiality or integrity impact. The vulnerability is not a direct security vulnerability but a reliability issue; it scores MEDIUM rather than HIGH or CRITICAL because exploitation is passive (no active attack required), the scope is limited to affected FPGA hardware, and impact is gradual rather than instantaneous.
Frequently asked questions
Does this vulnerability allow remote code execution or privilege escalation?
No. CVE-2026-46221 is purely a memory leak that can lead to denial of service through memory exhaustion. It does not enable code execution, privilege escalation, or unauthorized access to data.
Which Linux systems are affected?
Only systems running the Linux kernel with the EDAC versalnet driver active, primarily Xilinx Versal and Zynq UltraScale+ FPGA platforms. Standard x86, x64, and ARM servers without this specialized hardware are not affected.
How long does it take for this memory leak to cause a problem?
The time depends on how frequently the device is initialized and removed. In typical operation, memory pressure may take weeks or months to become apparent. Systems with frequent device hotplug or module reloading may notice symptoms sooner.
Can I work around this vulnerability without patching?
Partially. You can reduce memory leak impact by minimizing driver initialization/removal cycles and monitoring system memory consumption. However, a kernel patch is the proper fix and should be applied at your earliest convenience.
This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores, CWE classifications, and KEV status reflect authoritative sources but may be updated by NIST or vendors. Patch availability, version numbers, and remediation timelines should be verified against official Linux kernel security advisories and your distribution's advisory channels. This vulnerability assessment is provided for informational purposes to support vulnerability management and patching decisions; it does not constitute security consulting or legal advice. Organizations should conduct their own risk assessment based on their specific hardware configurations and operational requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak
- CVE-2026-46171MEDIUMLinux RISC-V KVM Vector Context Memory Leak
- CVE-2026-46182MEDIUMLinux Kernel PAPR Hypervisor Pipe Information Disclosure Vulnerability
- CVE-2026-46207MEDIUMLinux vsock/virtio Incomplete Payload Disclosure in Network Monitoring