SB2026032096 - Exposed IOCTL with Insufficient Access Control in Linux kernel cavium liquidio driver
Published: March 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Exposed IOCTL with Insufficient Access Control (CVE-ID: CVE-2026-23257)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an off-by-one error in the PF setup_nic_devices() function in the liquidio network driver when handling device initialization cleanup. A local user can trigger improper cleanup of allocated resources to cause a denial of service.
The vulnerability specifically results in a memory leak during device setup failure, which may lead to resource exhaustion over time. Administrative privileges are required to trigger the device setup process.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/293eaad0d6d6b2a37a458c7deb7be345349cd963
- https://git.kernel.org/stable/c/8558aef4e8a1a83049ab906d21d391093cfa7e7f
- https://git.kernel.org/stable/c/a0d2389c8cdc1f05de5eb8663bffe9ed05dca769
- https://git.kernel.org/stable/c/af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d
- https://git.kernel.org/stable/c/d86c58eb005eb99da402452f3db7a6e0eae32815
- https://git.kernel.org/stable/c/f1216b80c9040a904d2ad7c8cd24ca0ff1f36932
- https://git.kernel.org/stable/c/f86bd16280a0f88b538394e0565c56ce4756da99