CVE-2026-23273
- Source
- https://cve.org/CVERecord?id=CVE-2026-23273
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23273.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23273
- Downstream
- Published
- 2026-03-20T08:08:54.111Z
- Modified
- 2026-04-14T03:47:40.306439Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- macvlan: observe an RCU grace period in macvlan_common_newlink() error path
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
macvlan: observe an RCU grace period in macvlancommonnewlink() error path
valis reported that a race condition still happens after my prior patch.
macvlancommonnewlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev).
We must respect an RCU period, either in macvlan or the core networking stack.
After adding a temporary mdelay(1000) in macvlanforwardsource_one() to open the race window, valis repro was:
ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source
(ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4 PING 1.2.3.4 (1.2.3.4): 56 data bytes RTNETLINK answers: Invalid argument
BUG: KASAN: slab-use-after-free in macvlanforwardsource (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) Read of size 8 at addr ffff888016bb89c0 by task e/175
CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:123) printreport (mm/kasan/report.c:379 mm/kasan/report.c:482) ? macvlanforwardsource (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) kasanreport (mm/kasan/report.c:597) ? macvlanforwardsource (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) macvlanforwardsource (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) ? taskletinit (kernel/softirq.c:983) macvlanhandleframe (drivers/net/macvlan.c:501)
Allocated by task 169: kasansavestack (mm/kasan/common.c:58) kasansavetrack (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) __kasan_kmalloc (mm/kasan/common.c:419) __kvmallocnodenoprof (./include/linux/kasan.h:263 mm/slub.c:5657 mm/slub.c:7140) allocnetdevmqs (net/core/dev.c:12012) rtnl_createlink (net/core/rtnetlink.c:3648) rtnlnewlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlinkrcvmsg (net/core/rtnetlink.c:6958) netlinkrcvskb (net/netlink/afnetlink.c:2550) netlinkunicast (net/netlink/afnetlink.c:1319 net/netlink/afnetlink.c:1344) netlinksendmsg (net/netlink/afnetlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) _x64syssendto (net/socket.c:2209) dosyscall64 (arch/x86/entry/syscall64.c:63 arch/x86/entry/syscall64.c:94) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:131)
Freed by task 169: kasansavestack (mm/kasan/common.c:58) kasansavetrack (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) kasansavefree_info (mm/kasan/generic.c:587) __kasanslabfree (mm/kasan/common.c:287) kfree (mm/slub.c:6674 mm/slub.c:6882) rtnlnewlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlinkrcvmsg (net/core/rtnetlink.c:6958) netlinkrcvskb (net/netlink/afnetlink.c:2550) netlinkunicast (net/netlink/afnetlink.c:1319 net/netlink/afnetlink.c:1344) netlinksendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) _x64syssendto (net/socket.c:2209) dosyscall64 (arch/x86/entry/syscall64.c:63 arch/x86/entry/syscall64.c:94) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:131)
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23273.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d
- https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b
- https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4
- https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362
- https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c
- https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd
- https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d
- https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23273.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23273
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedda5c6b8ae47e414be47e5e04def15b25d5c962dcFixed91e4ff8d966978901630fc29582c1a76d3c6e46c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8aFixed3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc43d0e787cbba569ec9d11579ed370b50fab6c9cFixed721eb342d9ba19bad5c4815ea3921465158b7362
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced11ba9f0dc865136174cb98834280fb21bbc950c7Fixed19c7d8ac51988d053709c1e85bd8482076af845d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced986967a162142710076782d5b93daab93a892980Fixeda1f686d273d129b45712d95f4095843b864466bd
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66Fixedd34f7a8aa9a25b7e64e0e46e444697c0f702374d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf8db6475a83649689c087a8f52486fcc53e627e9Fixed1e58ae87ad1e6e24368dea9aec9048c758cd0e2bFixede3f000f0dee1bfab52e2e61ca6a3835d9e187e35
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.252
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.202
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.165
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.128
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.75
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.14
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.4