What is CVE-2026-45872?

CVE-2026-45872 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.16 onward and patched in 6.1.165, 6.6.128, 6.12.75 and others. CVE-2026-45872 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-45872?

CVE-2026-45872 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-45872?

Yes, CVE-2026-45872 has been patched. Fixed versions include 6.1.165, 6.6.128, 6.12.75 and others. If you are running Linux kernel 5.16 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-45872 actively exploited?

CVE-2026-45872 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-45872

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() pqi_report_phys_luns() fails to release the rpl_list buffer when encountering an unsupported data format or when the allocation for rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic, leading to memory leaks. Consolidate the error handling by adding an out_free_rpl_list label and use goto statements to ensure rpl_list is consistently freed on failure. Compile tested only. Issue found using a prototype static analysis tool and code review.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 5.16 and later are affected. Fixed in 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 5.16

Fixed in

✓ 6.1.165 6.1.x ✓ 6.6.128 6.6.x ✓ 6.12.75 6.12.x ✓ 6.18.14 6.18.x ✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-45872 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/41b37312bd9722af77ec7817ccf22d7a4880c289
Patch
Kernel patch commit
https://git.kernel.org/stable/c/454570434114e4862767f506a442a0f110b639b2
Patch
Kernel patch commit
https://git.kernel.org/stable/c/d52e13122d3771f753dd73ae6512fa01f58015cb
Patch

6 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-45872?

CVE-2026-45872 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.16 onward and has been patched in 6.1.165, 6.6.128, 6.12.75 and others. CVE-2026-45872 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-45872?

Yes — CVE-2026-45872 has been patched. Fixed versions include 6.1.165, 6.6.128, 6.12.75 and others. If you are running Linux kernel 5.16 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-45872 actively exploited?

No — CVE-2026-45872 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.