CVE-2026-23314 in Linux
Summary
by MITRE • 03/25/2026
In the Linux kernel, the following vulnerability has been resolved:
regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio()
In bq257xx_reg_dt_parse_gpio(), if fails to get subchild, it returns without calling of_node_put(child), causing the device node reference leak.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability identified as CVE-2026-23314 represents a critical resource management flaw within the Linux kernel's power management subsystem, specifically affecting the bq257xx regulator driver. This issue manifests as a device node reference leak that occurs during the parsing of device tree GPIO configurations for battery charging regulators. The vulnerability resides in the bq257xx_reg_dt_parse_gpio() function which is responsible for processing device tree entries to configure GPIO settings for bq257xx family of power management chips. When the function encounters a failure while attempting to access subchild nodes within the device tree structure, it prematurely returns from the function without properly releasing the reference to the parent device node through the of_node_put() API call.
The technical implementation of this vulnerability stems from improper resource cleanup practices within the device tree parsing logic. During normal operation, the function iterates through device tree nodes to extract GPIO configuration parameters, acquiring references to device nodes through the device tree API. When the function fails to retrieve a required subchild node, typically due to missing or malformed device tree entries, it should ensure proper cleanup of all acquired references before returning. However, the current implementation omits the of_node_put() call that would release the reference to the child node, leading to a memory leak where the device node reference remains active even though the function has completed execution. This pattern of resource management failure violates fundamental kernel programming practices and can accumulate over time, particularly in systems with frequent device tree parsing operations or multiple regulator configurations.
The operational impact of this vulnerability extends beyond simple memory consumption, potentially affecting system stability and performance over extended periods of operation. Device node reference leaks can contribute to memory fragmentation and resource exhaustion, particularly in embedded systems or devices with limited memory resources where such leaks compound over time. The vulnerability affects systems using bq257xx regulator drivers, which are commonly found in mobile devices, embedded systems, and IoT platforms that rely on proper power management for battery charging operations. While the immediate impact may appear minimal in short-term operation, sustained exposure to this leak can degrade system performance, increase memory pressure, and potentially contribute to system instability during prolonged operation. The leak occurs specifically during device tree parsing phases, making it relevant to systems booting with complex power management configurations or those dynamically reconfiguring power regulators.
Mitigation strategies for this vulnerability focus on correcting the resource management logic within the kernel driver code. The primary fix involves ensuring that all device node references acquired during the parsing process are properly released before function return, regardless of success or failure conditions. This requires implementing proper error handling paths that include of_node_put() calls for all acquired references, even when the function encounters errors and must return early. System administrators and device manufacturers should prioritize applying the kernel patches that address this specific resource leak, particularly in production environments where long-term stability and resource management are critical. Additionally, monitoring systems should be implemented to detect unusual memory consumption patterns that might indicate resource leaks, and regular kernel updates should be maintained to ensure protection against such vulnerabilities. This vulnerability aligns with CWE-404, which specifically addresses improper resource release or unbalanced resource management, and could potentially be leveraged by attackers to perform resource exhaustion attacks, though the direct exploitation path is limited compared to more severe kernel vulnerabilities. The ATT&CK framework categorizes this under privilege escalation and resource exhaustion techniques, as the leak could contribute to system instability that might be exploited in combination with other vulnerabilities to compromise system integrity.