CVE-2026-46141

Source
https://cve.org/CVERecord?id=CVE-2026-46141
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46141.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46141
Downstream
Related
Published
2026-05-28T09:35:56.940Z
Modified
2026-07-08T08:13:35.286532530Z
Summary
powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/xive: fix kmemleak caused by incorrect chip_data lookup

The kmemleak reports the following memory leak:

Unreferenced object 0xc0000002a7fbc640 (size 64): comm "kworker/8:1", pid 540, jiffies 4294937872 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................ 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................ backtrace (crc 177d48f6): __kmalloccachenoprof+0x520/0x730 xive_irqallocdata.constprop.0+0x40/0xe0 xiveirqdomainalloc+0xd0/0x1b0 irqdomainallocirqsparent+0x44/0x6c pseriesirqdomainalloc+0x1cc/0x354 irqdomainallocirqsparent+0x44/0x6c msidomainalloc+0xb0/0x220 irqdomainallocirqslocked+0x138/0x4d0 __irqdomainalloc_irqs+0x8c/0xfc __msidomainallocirqs+0x214/0x4d8 msidomainallocirqsalllocked+0x70/0xf8 pcimsisetupmsiirqs+0x60/0x78 __pcienablemsixrange+0x54c/0x98c pciallocirqvectorsaffinity+0x16c/0x1d4 nvmepcienable+0xac/0x9c0 [nvme] nvmeprobe+0x340/0x764 [nvme]

This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xiveirqdata and stores it in irqdata->chipdata.

When the MSI-X irqdomain is later freed, xiveirqfreedata() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers"), xiveirqfreedata() retrieves the chipdata using irqgetchipdata(), which looks up the data through the child domain.

This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xiveirqdata is never freed, leading to the kmemleak report shown above.

Fix this by retrieving the irqdata from the correct domain using irqdomaingetirqdata() and then accessing the chipdata via irqdatagetirqchip_data().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46141.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cc0cc23babc979e399f34f53e4bccf702a389558
Fixed
2546fb8c9acc8c7512ed4339ce2a982cb7407065
Fixed
e66ed135cdf23a318e9727dca48f98f7f6142f78
Fixed
6771c54728c278bf1e4bfdab4fddbbb186e33498

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46141.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.18.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46141.json"