CVE-2026-23257

// CVE-2026-23257 PoC - Memory Leak in liquidio setup_nic_devices() // This PoC demonstrates the off-by-one error in cleanup loop // Compile and run on affected Linux kernel with liquidio driver #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulated structure for demonstration struct nic_device { void* devlink; void* netdev; int allocated; }; // Vulnerable cleanup function (original buggy version) void buggy_cleanup(struct nic_device* devices, int i) { printf("[BUGGY] Starting cleanup with i=%d\n", i); // Original buggy loop - skips index i while (i--) { printf("[BUGGY] Freeing device at index %d\n", i); if (devices[i].devlink) { free(devices[i].devlink); devices[i].devlink = NULL; } if (devices[i].netdev) { free(devices[i].netdev); devices[i].netdev = NULL; } devices[i].allocated = 0; } printf("[BUGGY] Cleanup complete. Device at index %d leaked!\n", i); } // Fixed cleanup function void fixed_cleanup(struct nic_device* devices, int i) { printf("[FIXED] Starting cleanup with i=%d\n", i); // Fixed loop - iterate from current index down to 0 while (i >= 0) { printf("[FIXED] Freeing device at index %d\n", i); if (devices[i].devlink) { free(devices[i].devlink); devices[i].devlink = NULL; } if (devices[i].netdev) { free(devices[i].netdev); devices[i].netdev = NULL; } devices[i].allocated = 0; i--; } printf("[FIXED] Cleanup complete. No memory leaked.\n"); } int main() { printf("=== CVE-2026-23257 PoC Demonstration ===\n\n"); // Simulate 5 devices being allocated struct nic_device devices[5]; int alloc_count = 5; for (int j = 0; j < alloc_count; j++) { devices[j].devlink = malloc(1024); devices[j].netdev = malloc(2048); devices[j].allocated = 1; printf("Allocated device %d\n", j); } printf("\n--- Testing Buggy Cleanup (failure at index 3) ---\n"); int fail_index = 3; buggy_cleanup(devices, fail_index); printf("\n--- Testing Fixed Cleanup (failure at index 3) ---\n"); // Re-allocate for fixed test for (int j = 0; j < alloc_count; j++) { devices[j].devlink = malloc(1024); devices[j].netdev = malloc(2048); } fixed_cleanup(devices, fail_index); printf("\n=== PoC Complete ===\n"); printf("The buggy version leaks device at index %d\n", fail_index); printf("The fixed version properly frees all resources.\n"); return 0; }

{"cve": {"id": "CVE-2026-23257", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T18:16:23.997", "lastModified": "2026-05-21T00:11:32.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup\n\nIn setup_nic_devices(), the initialization loop jumps to the label\nsetup_nic_dev_free on failure. The current cleanup loop while(i--)\nskip the failing index i, causing a memory leak.\n\nFix this by changing the loop to iterate from the current index i\ndown to 0.\n\nAlso, decrement i in the devlink_alloc failure path to point to the\nlast successfully allocated index.\n\nCompile tested only. Issue found using code review."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: liquidio: Corrección de error 'off-by-one' en la limpieza de PF setup_nic_devices()\n\nEn setup_nic_devices(), el bucle de inicialización salta a la etiqueta setup_nic_dev_free en caso de fallo. El bucle de limpieza actual while(i--) omite el índice 'i' fallido, causando una fuga de memoria.\n\nEsto se corrige cambiando el bucle para que itere desde el índice actual 'i' hasta 0.\n\nAdemás, se decrementa 'i' en la ruta de fallo de devlink_alloc para que apunte al último índice asignado con éxito.\n\nProbado solo en compilación. Problema encontrado mediante revisión de código."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-193"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.10.250", "matchCriteriaId": "DCE60E24-7685-4F61-B0E6-95BC33714EDF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.200", "matchCriteriaId": "D16F6370-B70F-471C-8363-3A17B0BB1DA9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.163", "matchCriteriaId": "E9C856E1-4308-4C0B-A973-7DD375DF66C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.124", "matchCriteriaId": "76183B9F-CABE-4E21-A3E3-F0EBF99DC3C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.70", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.10", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/293eaad0d6d6b2a37a458c7deb7be345349cd963", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8558aef4e8a1a83049ab906d21d391093cfa7e7f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a0d2389c8cdc ... (truncated)