CVE-2026-23257
Description
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
In setup_nic_devices(), the initialization loop jumps to the label setup_nic_dev_free on failure. The current cleanup loop while(i--) skip the failing index i, causing a memory leak.
Fix this by changing the loop to iterate from the current index i down to 0.
Also, decrement i in the devlink_alloc failure path to point to the last successfully allocated index.
Compile tested only. Issue found using code review.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Off-by-one error in Linux kernel liquidio driver cleanup causes memory leak on initialization failure.
Vulnerability
In the Linux kernel's liquidio driver, the setup_nic_devices() function contains an off-by-one error in its cleanup loop. On initialization failure, the loop while(i--) skips the failing index i, leading to a memory leak for that index. This affects versions prior to the fix introduced in stable kernel commits [1].
Exploitation
An attacker requires the ability to trigger a failure during setup_nic_devices() execution, which may occur during device initialization or configuration. The vulnerability is only reachable when an error occurs in the initialization loop, making exploitation dependent on inducing such a failure. No authentication is necessary if the attacker can control device parameters or cause resource exhaustion.
Impact
A local attacker could cause a memory leak, potentially leading to system instability or denial of service due to memory exhaustion. The leak is limited to the failing index and does not provide code execution or privilege escalation.
Mitigation
The fix is included in Linux kernel stable updates as of 2026 [1]. Users should update to the latest kernel version containing the patch. No workaround is available for unpatched systems.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/293eaad0d6d6b2a37a458c7deb7be345349cd963nvdPatch
- git.kernel.org/stable/c/8558aef4e8a1a83049ab906d21d391093cfa7e7fnvdPatch
- git.kernel.org/stable/c/a0d2389c8cdc1f05de5eb8663bffe9ed05dca769nvdPatch
- git.kernel.org/stable/c/af38d9a5cb49fe9d0d282b44f17fdc1f3270d99dnvdPatch
- git.kernel.org/stable/c/d86c58eb005eb99da402452f3db7a6e0eae32815nvdPatch
- git.kernel.org/stable/c/f1216b80c9040a904d2ad7c8cd24ca0ff1f36932nvdPatch
- git.kernel.org/stable/c/f86bd16280a0f88b538394e0565c56ce4756da99nvdPatch
News mentions
0No linked articles in our index yet.