Bug 2436833 (CVE-2026-23090)

Summary: CVE-2026-23090 kernel: slimbus: core: fix device reference leak on report present
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-04 17:05:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

slimbus: core: fix device reference leak on report present

Slimbus devices can be allocated dynamically upon reception of
report-present messages.

Make sure to drop the reference taken when looking up already registered
devices.

Note that this requires taking an extra reference in case the device has
not yet been registered and has to be allocated.
Comment 1 Jon Moroney 2026-02-04 18:59:16 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026020425-CVE-2026-23090-2971@gregkh/T