CVE-2026-45981

css_alloc_subchannel() calls device_initialize() before setting up the DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel structure directly, bypassing the device model reference counting.

Once device_initialize() has been called, the embedded struct device must be released via put_device(), allowing the release callback to free the container structure.

Fix the error path by dropping the initial device reference with put_device() instead of calling kfree() directly.

This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45981.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e5dcf0025d7af58f525590ac86ac27cb44714e8d

Fixed

abb6e07f46a740cda4f07d1b561ae4eaa7a1df42

Fixed

f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424

Fixed

6715560527e343a387e4a0d2e6c401748e89fa55

Fixed

c35cfbb5341ba05ad1b4476ffc3c21cc3ff8f603

Fixed

f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45981.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.10.0

Fixed

6.6.128

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.75

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.14

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45981.json"