In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths
The gssxdecctx(), gssxdecstatus(), and gssxdecname() functions allocate memory via gssxdecbuffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks.
The leak in gssxdecctx() is particularly relevant because the caller (gsspacceptseccontextupcall) initializes several buffer length fields to non-zero values, resulting in memory allocation:
struct gssx_ctx rctxh = {
.exported_context_token.len = GSSX_max_output_handle_sz,
.mech.len = GSS_OID_MAX_LEN,
.src_name.display_name.len = GSSX_max_princ_sz,
.targ_name.display_name.len = GSSX_max_princ_sz
};
If, for example, gssxdecname() succeeds for srcname but fails for targname, the memory allocated for exportedcontexttoken, mech, and srcname.displayname remains unreferenced and cannot be reclaimed.
Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45870.json"
}