CVE-2026-23313

Vulnerability

In the Linux kernel's i40e network driver, the NAPI poll tracepoint incorrectly uses get_cpu() to obtain the current CPU number without a corresponding put_cpu() call. This creates a preempt count leak, as the preemption counter is incremented but never decremented [1]. The kernel's softirq handler detects the mismatch and logs a warning such as: "softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101?" [1].

Exploitation

This bug is triggered during normal network packet processing when the i40e devices. No special privileges or network position are required; any network traffic handled by the driver can cause the tracepoint to fire and leak the preempt count. The issue has existed for over three years, indicating it has been present in many kernel versions [1].

Impact

The primary impact is a kernel warning message and a corrupted preempt count, which can lead to unpredictable behavior in preemption-sensitive code paths. While not directly exploitable for privilege escalation or remote code execution, the warning indicates a kernel state inconsistency that could contribute to instability or denial-of-service conditions.

Mitigation

The fix replaces get_cpu() with smp_processor_id(), which does not modify the preempt count [1]. Patched versions are available in the stable kernel tree [1][2][3][4]. Users should update to a kernel containing the fix.