CVE-2026-23026: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Fix a memory leak in gpi_peripheral_config() where the original memory
pointed to by gchan->config could be lost if krealloc() fails.
The issue occurs when:
1. gchan->config points to previously allocated memory
2. krealloc() fails and returns NULL
3. The function directly assigns NULL to gchan->config, losing the
reference to the original memory
4. The original memory becomes unreachable and cannot be freed
Fix this by using a temporary variable to hold the krealloc() result
and only updating gchan->config when the allocation succeeds.
Found via static analysis and code review.
Security readout for executives and security teams
Plain-English summary
This CVE is a Linux kernel memory leak in the Qualcomm GPI DMA engine driver. If a specific reallocation fails, previously allocated configuration memory can be lost rather than freed. The public data does not provide CVSS scoring, confirmed real-world exploitation, or a detailed business-impact statement.
Executive priority
Treat as routine kernel maintenance unless your environment depends on affected Qualcomm-based Linux platforms or a vendor advisory flags impacted products. Current public evidence does not support emergency response.
Technical view
In gpi_peripheral_config(), assigning krealloc() directly to gchan->config can overwrite the only pointer when krealloc() returns NULL. The fix uses a temporary pointer and updates gchan->config only after successful allocation. The issue was found through static analysis and code review.
Likely exposure
Exposure appears limited to Linux systems using affected kernel versions with the Qualcomm GPI DMA engine path present and relevant. The source bundle lists Linux as affected but does not clarify distributions, device models, or configuration prerequisites.
Exploitation context
The bundle says KEV is false and provides no cited evidence of active exploitation. It describes a memory leak from allocation failure handling, not a complete attack chain, privilege requirement, or remote entry point.
Researcher notes
The key defect is lost ownership of gchan->config on krealloc() failure. The bundle does not provide CVSS, CWE, exploitability assessment, or runtime trigger conditions, so validation should focus on code presence, kernel branch mapping, and vendor advisories.
Mitigation direction
Apply the relevant Linux stable kernel fix from your vendor or kernel maintenance channel.
Check Siemens advisories if you operate affected Siemens products.
Prioritize systems using Qualcomm platforms or kernels with the qcom GPI DMA engine enabled.
If no vendor package exists, track official kernel stable commits for your maintained branch.
Validation and detection
Inventory running kernel versions and compare them with vendor CVE guidance.
Check whether the qcom GPI DMA engine driver is built or loaded.
Confirm the stable fix commit is present in your kernel source or package changelog.
Review vendor advisories for product-specific affected and fixed versions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2026-23026 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
9Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jan 31, 2026, 11:42 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.