HIGH
soc/ti ClkMux Double-Free
CVE-2026-43196
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: soc: ti: pruss: Fix double free in pruss_clk_mux_setup() In the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np) on the error path. However, after the devm_add_action_or_reset() returns, the of_node_put(clk_mux_np) is called again, causing a double free. Fix by returning directly, to avoid the duplicate of_node_put().
02KernelScan AI Analysis
Risk summary
Local administrators with root privileges can trigger a kernel panic on TI AM65x and J721E SoCs by causing a double free in the PRUSS clock mux setup. This affects embedded systems using these TI processors, potentially causing system crashes and denial of service when the driver is probed under memory pressure.
Vulnerability analysis
The vulnerability occurs in pruss_clk_mux_setup() where devm_add_action_or_reset() calls pruss_of_free_clk_provider() on error, which internally calls of_node_put(clk_mux_np). However, the original code then calls of_node_put(clk_mux_np) again in the error path, causing a double free of the device tree node reference. The fix eliminates the duplicate of_node_put() call by returning directly after devm_add_action_or_reset(), ensuring the cleanup action handles the reference properly. Triggering this bug requires root privileges to cause driver probe or re-probe (e.g., module load or device bind/unbind) under memory pressure.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | dbda01bf2dfe |
| 5.15 | 5.15.202 | 24c40076e3bc |
| 6.1 | 6.1.165 | 818cf66d91c8 |
| 6.12 | 6.12.75 | 69aa67c1e22d |
| 6.18 | 6.18.16 | b7db9953c2f8 |
| 6.19 | 6.19.6 | 04dbbb18cc9c |
| 6.6 | 6.6.128 | e113339cc7d2 |
| mainline | 7.0 | 80db65d4acfb |