Vulnerability Database / CVE-2026-23091 CVE-2026-23091: Linux Kernel Privilege Escalation Flaw CVE-2026-23091 is a privilege escalation vulnerability in the Linux kernel's intel_th component caused by device reference leaks during output device operations. This article covers technical details, impact, and mitigation. Published : February 6, 2026 CVE-2026-23091 Overview A memory leak vulnerability has been identified in the Linux kernel's Intel Trace Hub (intel_th) driver. The vulnerability occurs when device references are not properly released during output device open() operations. When looking up the th device during output device open, a reference is taken but not consistently dropped on error paths or on close, leading to resource exhaustion. Critical Impact Persistent memory leaks in kernel space can lead to system resource exhaustion, potentially causing denial of service conditions on affected systems running the Intel Trace Hub driver. Affected Products Linux Kernel with Intel Trace Hub (intel_th) driver enabled Systems utilizing Intel Trace Hub hardware for debugging and tracing Multiple kernel versions prior to the security patches Discovery Timeline February 4, 2026 - CVE-2026-23091 published to NVD February 5, 2026 - Last updated in NVD database Technical Details for CVE-2026-23091 Vulnerability Analysis This memory leak vulnerability exists in the Intel Trace Hub driver's device management code. The intel_th subsystem is responsible for hardware-assisted tracing on Intel platforms. During the open() operation for output devices, the driver looks up the associated th device and takes a reference to prevent premature deallocation. The issue arises because a recent commit only partially addressed the leak by fixing some error paths in open() , but failed to handle all error conditions. More critically, the reference is still leaked on successful open() operations because the corresponding close() path does not drop the reference that was taken during open() . This type of reference counting error is a common source of kernel memory leaks. Each successful open without a corresponding reference drop during close accumulates leaked device structures, eventually exhausting kernel memory resources. Root Cause The root cause is improper reference counting management in the intel_th output device handling code. Specifically: A device reference is acquired during open() via a device lookup function Not all error paths in open() properly release this reference The close() function fails to drop the reference taken during a successful open() This violates the kernel's reference counting contract where every reference acquisition must have a corresponding release to prevent memory leaks. Attack Vector The vulnerability requires local access to the system with permissions to open the Intel Trace Hub output device. An attacker or a faulty application could repeatedly open and close the device, causing kernel memory to be progressively leaked until system resources are exhausted. The attack does not require elevated privileges beyond standard device access permissions, making it a potential vector for local denial of service attacks on systems with the intel_th driver loaded. Detection Methods for CVE-2026-23091 Indicators of Compromise Gradual increase in kernel memory usage over time correlated with intel_th device access Kernel warnings or errors related to memory allocation failures Degraded system performance due to memory pressure Entries in kernel logs indicating intel_th driver operations Detection Strategies Monitor kernel memory allocation patterns using tools like /proc/meminfo and /proc/slabinfo Implement kernel memory tracking to detect reference count anomalies in device structures Use kernel debugging features such as KMEMLEAK to identify unreleased device references Deploy endpoint detection solutions capable of monitoring kernel resource utilization Monitoring Recommendations Configure alerts for unusual kernel memory growth patterns on systems running Intel Trace Hub Implement baseline monitoring for intel_th driver activity and resource consumption Enable kernel audit logging for device open/close operations on trace hub devices Review system logs for repeated access patterns to /dev/intel_th* devices How to Mitigate CVE-2026-23091 Immediate Actions Required Update the Linux kernel to a patched version containing the fix If updates cannot be applied immediately, consider unloading the intel_th driver if not required for operations Restrict access to Intel Trace Hub device nodes to limit potential exploitation Monitor affected systems for signs of memory exhaustion Patch Information Multiple patches have been released to the stable Linux kernel branches. The fixes ensure that device references are properly dropped on all error paths during open() and correctly released during close() . Patch commits are available in the kernel git repository: Commit 0fca16c5591534cc1fec8b6181277ee3a3d0f26c C