CVE-2026-23255
Description
In the Linux kernel, the following vulnerability has been resolved:
net: add proper RCU protection to /proc/net/ptype
Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch.
Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules.
ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier.
At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period.
Define ptype_iter_state to carry a dev pointer along seq_net_private:
struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch };
We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes.
We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values)
Many thanks to Dong Chenchen for providing a repro.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel /proc/net/ptype RCU violation leads to RCU stall; fixed by adding proper RCU protection.
Vulnerability
Description
CVE-2026-23255 is a Linux kernel vulnerability in the /proc/net/ptype file, reported by Yin Fengwei. The issue stems from improper RCU (Read-Copy-Update) protection in the ptype_seq_show() and ptype_seq_next() functions. These functions read pt->dev to obtain the device name without any memory barrier, violating RCU rules. Concurrent writers can remove a packet_type structure and clear pt->dev without an RCU grace period, leading to a race condition.
Exploitation
The attack surface is local, as /proc/net/ptype is a proc file readable by unprivileged users. An attacker could trigger the race condition by performing concurrent operations that modify the packet type list while a user or process reads /proc/net/ptype. This requires no special privileges beyond local access to the system. Dong Chenchen provided a reproducer demonstrating the RCU stall.
Impact
Exploitation results in an RCU stall, causing a denial of service (DoS) condition. The system may become unresponsive or experience degraded performance due to the stall. In some cases, the stall could lead to a system crash or hang.
Mitigation
The fix involves adding a struct ptype_iter_state to carry a dev pointer, ensuring safe access to the device name. Full RCU protection is added in ptype_seq_next() with proper READ_ONCE() barriers. The patch has been applied to the Linux kernel stable tree.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.