CVE-2026-23255
Description
In the Linux kernel, the following vulnerability has been resolved:
net: add proper RCU protection to /proc/net/ptype
Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch.
Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules.
ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier.
At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period.
Define ptype_iter_state to carry a dev pointer along seq_net_private:
struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch };
We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes.
We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values)
Many thanks to Dong Chenchen for providing a repro.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
48cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.12.1,<6.6.136
- cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
- (no CPE)
- osv-coords33 versionspkg:linux/kernelpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-SLE15-SP7-RT_Update_11&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP7pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP7
>= 2.6.12, < 6.18.10+ 32 more
- (no CPE)range: >= 2.6.12, < 6.18.10
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.27.1.160000.2.8
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1.21.18
- (no CPE)range: < 6.4.0-41.1.21.18
- (no CPE)range: < 6.12.0-160000.27.1.160000.2.8
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 1-150700.1.3.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-150700.7.37.2
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.12.0-160000.28.1
- (no CPE)range: < 6.4.0-41.1
- (no CPE)range: < 6.4.0-150700.7.37.2
- (no CPE)range: < 6.4.0-150700.7.37.1
Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8dnvdPatch
- git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35nvdPatch
- git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861nvdPatch
- git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175dnvdPatch
- git.kernel.org/stable/c/e974a10a52618f7f57a4bce173a0ed96acd4e5dcnvd
News mentions
0No linked articles in our index yet.