LiveActive security incident?Get immediate response
CVE Record

CVE-2026-23026: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()

In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This CVE is a Linux kernel memory leak in the Qualcomm GPI DMA engine driver. If a specific reallocation fails, previously allocated configuration memory can be lost rather than freed. The public data does not provide CVSS scoring, confirmed real-world exploitation, or a detailed business-impact statement.

Executive priority

Treat as routine kernel maintenance unless your environment depends on affected Qualcomm-based Linux platforms or a vendor advisory flags impacted products. Current public evidence does not support emergency response.

Technical view

In gpi_peripheral_config(), assigning krealloc() directly to gchan->config can overwrite the only pointer when krealloc() returns NULL. The fix uses a temporary pointer and updates gchan->config only after successful allocation. The issue was found through static analysis and code review.

Likely exposure

Exposure appears limited to Linux systems using affected kernel versions with the Qualcomm GPI DMA engine path present and relevant. The source bundle lists Linux as affected but does not clarify distributions, device models, or configuration prerequisites.

Exploitation context

The bundle says KEV is false and provides no cited evidence of active exploitation. It describes a memory leak from allocation failure handling, not a complete attack chain, privilege requirement, or remote entry point.

Researcher notes

The key defect is lost ownership of gchan->config on krealloc() failure. The bundle does not provide CVSS, CWE, exploitability assessment, or runtime trigger conditions, so validation should focus on code presence, kernel branch mapping, and vendor advisories.

Mitigation direction

  • Apply the relevant Linux stable kernel fix from your vendor or kernel maintenance channel.
  • Check Siemens advisories if you operate affected Siemens products.
  • Prioritize systems using Qualcomm platforms or kernels with the qcom GPI DMA engine enabled.
  • If no vendor package exists, track official kernel stable commits for your maintained branch.

Validation and detection

  • Inventory running kernel versions and compare them with vendor CVE guidance.
  • Check whether the qcom GPI DMA engine driver is built or loaded.
  • Confirm the stable fix commit is present in your kernel source or package changelog.
  • Review vendor advisories for product-specific affected and fixed versions.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2026-23026 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux5d0c3533a19f48e5e7e73806a3e4b29cd4364130, 5d0c3533a19f48e5e7e73806a3e4b29cd4364130, 5d0c3533a19f48e5e7e73806a3e4b29cd4364130, 5d0c3533a19f48e5e7e73806a3e4b29cd4364130, 5d0c3533a19f48e5e7e73806a3e4b29cd4364130, 5d0c3533a19f48e5e7e73806a3e4b29cd4364130unaffected
LinuxLinux5.11, 0, 5.15.199, 6.1.162, 6.6.122, 6.12.67, 6.18.7, 6.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.