Use After Free in Linux kernel - CVE-2026-23273
Published: March 20, 2026
Vulnerability identifier: #VU124177
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23273
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
How to mitigate CVE-2026-23273
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d
- https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b
- https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4
- https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362
- https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c
- https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd
- https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d
- https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35