CVE-2026-23255
- Source
- https://cve.org/CVERecord?id=CVE-2026-23255
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23255.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23255
- Downstream
- Published
- 2026-03-18T17:41:01.445Z
- Modified
- 2026-04-03T03:33:48.726473Z
- Summary
- net: add proper RCU protection to /proc/net/ptype
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: add proper RCU protection to /proc/net/ptype
Yin Fengwei reported an RCU stall in ptypeseqshow() and provided a patch.
Real issue is that ptypeseqnext() and ptypeseqshow() violate RCU rules.
ptypeseqshow() runs under rcureadlock(), and reads pt->dev to get device name without any barrier.
At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period.
Define ptypeiterstate to carry a dev pointer along seqnetprivate:
struct ptypeiterstate { struct seqnetprivate p; struct net_device *dev; // added in this patch };
We need to record the device pointer in ptypegetidx() and ptypeseqnext() so that ptypeseqshow() is safe against concurrent pt->dev changes.
We also need to add full RCU protection in ptypeseqnext(). (Missing READ_ONCE() when reading list.next values)
Many thanks to Dong Chenchen for providing a repro.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23255.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35
- https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861
- https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23255.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23255
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git