CVE-2026-23273
Description
In the Linux kernel, the following vulnerability has been resolved:
macvlan: observe an RCU grace period in macvlan_common_newlink() error path
valis reported that a race condition still happens after my prior patch.
macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev).
We must respect an RCU period, either in macvlan or the core networking stack.
After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the race window, valis repro was:
ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source
(ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4 PING 1.2.3.4 (1.2.3.4): 56 data bytes RTNETLINK answers: Invalid argument
BUG: KASAN: slab-use-after-free in macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) Read of size 8 at addr ffff888016bb89c0 by task e/175
CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace:
dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) kasan_report (mm/kasan/report.c:597) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) ? tasklet_init (kernel/softirq.c:983) macvlan_handle_frame (drivers/net/macvlan.c:501)
Allocated by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) __kasan_kmalloc (mm/kasan/common.c:419) __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657 mm/slub.c:7140) alloc_netdev_mqs (net/core/dev.c:12012) rtnl_create_link (net/core/rtnetlink.c:3648) rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Freed by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_free_info (mm/kasan/generic.c:587) __kasan_slab_free (mm/kasan/common.c:287) kfree (mm/slub.c:6674 mm/slub.c:6882) rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Linux kernel's macvlan driver due to missing RCU grace period in error path allows local attackers to crash the system.
Vulnerability
A use-after-free vulnerability exists in the Linux kernel's macvlan driver, specifically in the macvlan_common_newlink() function. When creating a new macvlan interface, if an error occurs after the device has been made visible to the network stack, the error path directly calls free_netdev() without waiting for an RCU grace period. This allows a concurrent RCU reader, such as macvlan_forward_source(), to access freed memory, leading to a use-after-free condition.
Exploitation
Exploitation requires local access and the ability to create macvlan interfaces (CAP_NET_ADMIN). An attacker can trigger the race by concurrently creating a macvlan interface with an invalid parameter (e.g., an interface name containing "invalid%") while sending network traffic. The provided reproducer uses a veth pair and a ping to trigger the forwarding path, causing a slab-use-after-free detected by KASAN.
Impact
The primary impact is a kernel crash (use-after-free) leading to a denial of service. While the description does not confirm privilege escalation, use-after-free vulnerabilities in kernel drivers can potentially be exploited for arbitrary code execution.
Mitigation
The fix ensures that an RCU grace period is observed before freeing the netdev in the error path. Patches have been applied to the stable kernel trees [1][2][3][4]. Users should update to the latest stable kernel version to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845dnvd
- git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2bnvd
- git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4nvd
- git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362nvd
- git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46cnvd
- git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bdnvd
- git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374dnvd
- git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35nvd
News mentions
0No linked articles in our index yet.