CVE-2026-23255

In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d	Patch
https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35	Patch
https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861	Patch
https://git.kernel.org/stable/c/e974a10a52618f7f57a4bce173a0ed96acd4e5dc
https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

History

01 Jun 2026, 17:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/e974a10a52618f7f57a4bce173a0ed96acd4e5dc -

21 May 2026, 00:15

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d -~~	() https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d - Patch
References	~~() https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35 -~~	() https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35 - Patch
References	~~() https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861 -~~	() https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861 - Patch
References	~~() https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d -~~	() https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d - Patch
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
First Time		Linux linux Kernel Linux

27 Apr 2026, 14:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d -

02 Apr 2026, 12:16

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: añadir protección RCU adecuada a /proc/net/ptype Yin Fengwei informó de un bloqueo RCU en ptype_seq_show() y proporcionó un parche. El problema real es que ptype_seq_next() y ptype_seq_show() violan las reglas RCU. ptype_seq_show() se ejecuta bajo rcu_read_lock(), y lee pt->dev para obtener el nombre del dispositivo sin ninguna barrera. Al mismo tiempo, los escritores concurrentes pueden eliminar una estructura packet_type (que se libera correctamente después de un período de gracia RCU) y borrar pt->dev sin un período de gracia RCU. Definir ptype_iter_state para llevar un puntero dev junto con seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // añadido en este parche }; Necesitamos registrar el puntero del dispositivo en ptype_get_idx() y ptype_seq_next() para que ptype_seq_show() esté a salvo de cambios concurrentes en pt->dev. También necesitamos añadir protección RCU completa en ptype_seq_next(). (Falta READ_ONCE() al leer los valores de list.next) Muchas gracias a Dong Chenchen por proporcionar una reproducción.
References		() https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861 -

18 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 18:16

Updated : 2026-06-01 17:16

NVD link : CVE-2026-23255

Mitre link : CVE-2026-23255

CVE.ORG link : CVE-2026-23255

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10