SB2026032097 - Exposed IOCTL with Insufficient Access Control in Linux kernel cavium liquidio driver
Published: March 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Exposed IOCTL with Insufficient Access Control (CVE-ID: CVE-2026-23256)
The vulnerability allows a local user to cause a memory leak.
The vulnerability exists due to an off-by-one error in the VF setup_nic_devices() cleanup function in the net: liquidio component when initializing network devices. A local user can trigger a failure during device setup to cause a memory leak.
The vulnerability specifically affects the cleanup logic in setup_nic_devices() where the loop fails to release memory for the current index on error path. This requires the ability to configure or trigger virtual function (VF) device initialization, typically available to privileged users.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/01fbca1e93ec3f39f76c31a8f9afa32ce00da48a
- https://git.kernel.org/stable/c/3bf519e39b51cb08a93c0599870b35a23db1031e
- https://git.kernel.org/stable/c/4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd
- https://git.kernel.org/stable/c/52b19b3a22306fe452ec9e8ff96063f4bfb77b99
- https://git.kernel.org/stable/c/6cbba46934aefdfb5d171e0a95aec06c24f7ca30
- https://git.kernel.org/stable/c/71a56b89203ec7e5670d94a61a9b4ae617eca804
- https://git.kernel.org/stable/c/bd680e56e316be92c01568be98d85d7a6c9bd92c