CVE-2026-52904: Linux Kernel Nouveau Driver Memory Leak DoS Vulnerability
A memory leak exists in the Linux kernel's Nouveau graphics driver. During the device initialization process, if a specific system configuration check fails, the driver fails to properly clean up an allocated device object, leaving resources dangling in kernel memory. This is a kernel-level resource exhaustion issue that can be triggered by unprivileged users on affected systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix nvkm_device leak on aperture removal failure When aperture_remove_conflicting_pci_devices() fails during probe, the error path returns directly without unwinding the nvkm_device that was just allocated by nvkm_device_pci_new(). This leaks both the device wrapper and the pci_enable_device() reference taken inside it. Jump to the existing fail_nvkm label so nvkm_device_del() runs and balances both. The leak was introduced when the intermediate nvkm_device_del() between detection and aperture removal was dropped in favor of creating the pci device once.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-52904 is a resource leak in the Nouveau DRM subsystem (drivers/gpu/drm/nouveau). When nvkm_device_pci_new() successfully allocates and initializes a device object during probe, but the subsequent aperture_remove_conflicting_pci_devices() call fails, the error handling path returns immediately without invoking nvkm_device_del(). This omission leaves two resources unreleased: the nvkm_device wrapper itself and the PCI device reference acquired via pci_enable_device(). The issue stems from a recent refactoring that consolidated device creation into a single operation, eliminating an intermediate cleanup point. The correct remediation requires jumping to an existing fail_nvkm label to ensure proper resource deallocation.
Business impact
This vulnerability enables a local denial-of-service condition through resource exhaustion. Unprivileged users can trigger repeated device initialization failures, gradually consuming kernel memory and eventually degrading system performance or causing a crash. In multi-tenant or shared-access environments, this represents a meaningful availability risk. The impact is confined to systems with Nouveau-compatible GPUs and is not exploitable remotely or without local access.
Affected systems
The Linux kernel is affected. Vulnerability manifests on systems running the Nouveau graphics driver, typically found in distributions supporting AMD and NVIDIA discrete GPUs via the open-source stack. The vulnerability is triggered during driver probe, so it affects systems where a Nouveau-capable device is present and the driver initialization sequence encounters the specific failure condition (conflicting PCI apertures).
Exploitability
Exploitability is low in a practical sense. The vulnerability requires local code execution context (unprivileged user) and knowledge of or ability to trigger the aperture conflict scenario. It is not remotely exploitable and does not yield privilege escalation or confidentiality breaches. The CVSS 3.1 score of 5.5 (MEDIUM) reflects the local requirement and availability-only impact. No known public exploits exist; the flaw is a logic error discovered through code analysis rather than active exploitation.
Remediation
Apply a kernel patch that ensures nvkm_device_del() is called unconditionally on probe failure by routing the aperture removal error path through the fail_nvkm label. This guarantees that both the device object and the PCI reference are released. System administrators should upgrade to a patched kernel version once available from their distribution. Verify patch applicability against your vendor's security advisory, as backport versions may vary.
Patch guidance
Monitor your Linux distribution's security advisories for a kernel update addressing CVE-2026-52904. The patch involves a small control-flow correction in the Nouveau probe path; update instructions will be provided by your vendor. For custom kernel users, apply the upstream fix to drivers/gpu/drm/nouveau during your next planned kernel rebuild and reboot cycle. No workaround is available short of disabling the Nouveau driver if the GPU is not required.
Detection guidance
Detection is primarily post-incident via memory pressure and system logs. Monitor for unexplained kernel memory growth and check dmesg/journalctl for repeated 'aperture removal' or 'nvkm_device' related error messages during system boot or GPU hotplug events. Use 'dmesg | grep -i nouveau' to inspect probe-time warnings. Proactive detection requires kernel instrumentation or a patched kernel with enhanced logging; standard intrusion detection systems cannot identify the leak at runtime.
Why prioritize this
Prioritize this patch in a regular maintenance window within the next 1–2 release cycles. The MEDIUM CVSS score and local-only attack vector place it below critical vulnerabilities but above routine updates. Organizations running Nouveau-dependent workloads (particularly in cloud or HPC environments) should prioritize higher due to multi-tenant denial-of-service risk. Environments without Nouveau GPUs or using proprietary drivers may defer safely.
Risk score, explained
CVSS 3.1 score 5.5 (MEDIUM) reflects: (1) local attack vector—no remote trigger possible; (2) low privilege requirement—unprivileged user sufficient; (3) availability impact only—no confidentiality or integrity breach; (4) resource exhaustion is bounded by system RAM but practically achievable by an attacker. The score appropriately discounts this threat relative to RCE or privilege escalation but flags it as a legitimate operational risk in shared-access environments.
Frequently asked questions
Does this vulnerability affect my system if I use NVIDIA's proprietary driver (nvidia-driver)?
No. CVE-2026-52904 is specific to the open-source Nouveau driver. Systems using NVIDIA's closed-source driver are unaffected. You can confirm which driver is active by running 'lsmod | grep -i nouveau' or 'lsmod | grep -i nvidia'.
Can this vulnerability be exploited remotely or to gain elevated privileges?
No to both. The vulnerability requires local code execution (unprivileged user), cannot be triggered over a network, and does not result in privilege escalation or data breach. Its impact is limited to denial of service via memory exhaustion.
What happens if I delay patching?
Systems remain vulnerable to local denial-of-service attacks if an attacker or misconfigured application repeatedly triggers GPU initialization failures. In single-user or non-hostile environments, risk is minimal. In multi-tenant clouds or shared HPC systems, the risk is higher and patching should not be delayed.
Is there a workaround if I cannot patch immediately?
If your system does not require GPU functionality, you can blacklist the Nouveau module via kernel command line (nouveau.modeset=0) until a patch is deployed. Otherwise, patching is the only mitigation.
This analysis is provided for informational purposes to aid security decision-making. The vulnerability details, CVSS score, and affected products are sourced from official CVE records and vendor advisories. Readers should verify patch availability and compatibility against their specific distribution and kernel version before deploying updates. SEC.co makes no warranty regarding the completeness or timeliness of this analysis. Always consult your Linux distribution's security advisories and your organization's change management procedures before applying patches. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak
- CVE-2026-46171MEDIUMLinux RISC-V KVM Vector Context Memory Leak
- CVE-2026-46182MEDIUMLinux Kernel PAPR Hypervisor Pipe Information Disclosure Vulnerability
- CVE-2026-46207MEDIUMLinux vsock/virtio Incomplete Payload Disclosure in Network Monitoring