Memory Leak in OpenWrt Project's Token Parsing Function
CVE-2026-30873

2.4LOW

Key Information:

Vendor

Openwrt

Status
Openwrt
Vendor
CVE Published:
19 March 2026

What is CVE-2026-30873?

The OpenWrt Project has identified a memory leak vulnerability in its Linux operating system, specifically within the jp_get_token function. This function is responsible for parsing input expressions and managing dynamic memory allocation. In versions prior to 24.10.6 and 25.12.1, a flaw exists where string literals and other elements extracted during this process are not properly freed, leading to a memory leak. When the extracted data is copied to a new memory allocation, the initial allocation remains unfreed if not handled correctly. This issue poses potential risks for resource consumption in embedded devices using the affected versions. The problem has been addressed in the latest releases, ensuring proper memory management.

Affected Version(s)

openwrt >= 25.12.0-rc1, < 25.12.1 < 25.12.0-rc1, 25.12.1

openwrt < 24.10.6 < 24.10.6

References

https://github.com/openwrt/openwrt/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openwrt/openwrt/releases/tag/v24.10.6
x_refsource_MISC
https://github.com/openwrt/openwrt/releases/tag/v25.12.1
x_refsource_MISC

CVSS V4

Score:
2.4
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.