CVE-2026-23393

/* * Conceptual PoC for CVE-2026-23393 * This PoC attempts to trigger the race condition by: * 1. Creating a bridge interface and enabling CFM. * 2. Spawning a thread to continuously send CFM frames. * 3. Spawning a thread to repeatedly delete and add the peer MEP. * * Note: Exploiting kernel race conditions requires precise timing * and specific kernel configuration. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <pthread.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if.h> // Helper to simulate sending frames (requires raw socket or netlink) void* send_cfm_frames(void* arg) { while (1) { // Implementation of sending crafted CCM packets // to trigger br_cfm_frame_rx() usleep(100); // Adjust timing to increase race window } return NULL; } // Helper to simulate deletion (via Netlink) void* trigger_delete(void* arg) { while (1) { // Implementation of netlink message to delete peer MEP // This triggers mep_delete_implementation() // usleep(100); } return NULL; } int main() { pthread_t sender, deleter; // Setup network interface and CFM here... pthread_create(&sender, NULL, send_cfm_frames, NULL); pthread_create(&deleter, NULL, trigger_delete, NULL); pthread_join(sender, NULL); pthread_join(deleter, NULL); return 0; }

{"cve": {"id": "CVE-2026-23393", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:40.040", "lastModified": "2026-04-24T18:39:39.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: cfm: Fix race condition in peer_mep deletion\n\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep still in hlist\n if (peer_mep->ccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(&peer_mep->head);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // on freed peer_mep\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\n\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nbridge: cfm: Corrección de condición de carrera en la eliminación de peer_mep\n\nCuando se está eliminando un MEP par, se llama a cancel_delayed_work_sync() en ccm_rx_dwork antes de la liberación. Sin embargo, br_cfm_frame_rx() se ejecuta en contexto de softirq bajo rcu_read_lock (sin RTNL) y puede reprogramar ccm_rx_dwork a través de ccm_rx_timer_start() entre el retorno de cancel_delayed_work_sync() y la llamada a kfree_rcu().\n\nEl siguiente es un escenario de condición de carrera simple:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep todavía en hlist\n if (peer_mep-&gt;ccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(&amp;peer_mep-&gt;head);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // en peer_mep liberado\n\nPara evitar esto, cancel_delayed_work_sync() se reemplaza por disable_delayed_work_sync() en ambas rutas de eliminación de MEP par, de modo que las llamadas posteriores a queue_delayed_work() desde br_cfm_frame_rx() sean rechazadas silenciosamente.\n\nLa función auxiliar cc_peer_disable() mantiene cancel_delayed_work_sync() porque también se utiliza para la ruta de alternancia de habilitación/deshabilitación de CC donde el trabajo debe permanecer reprogramable."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11.1", "versionEndExcluding": "6.12.78", "matchCriteriaId": "0618528B-8039-4E87-8695-397AE7D4B4E5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux ... (truncated)