DEBIAN-CVE-2026-23164
In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rocker_world_port_post_fini() In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with kzalloc(wops->port_priv_size, GFP_KERNEL). However, in rocker_world_port_post_fini(), the memory is only freed when wops->port_post_fini callback is set: if (!wops->port_post_fini) return; wops->port_post_fini(rocker_port); kfree(rocker_port->wpriv); Since rocker_ofdpa_ops does not implement port_post_fini callback (it is NULL), the wpriv memory allocated for each port is never freed when ports are removed. This leads to a memory leak of sizeof(struct ofdpa_port) bytes per port on every device removal. Fix this by always calling kfree(rocker_port->wpriv) regardless of whether the port_post_fini callback exists.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | linux | 5.10.103-1, *, 5.10.191-1 |
| Debian:12 | linux | 6.1.52-1, 0, 6.1.106-1 |
| Debian:14 | linux | 6.18.2-1~exp1, 6.17.8-1~bpo13+1, 6.17.8-1 |
| Debian:13 | linux | 6.12.38-1, 6.12.41-1, 6.12.43-1 |
Timeline
- Feb 14, 2026 CVE Published
- Apr 28, 2026 CVE Updated