Exposed IOCTL with Insufficient Access Control in Linux kernel - CVE-2026-23256
Published: March 20, 2026
Vulnerability identifier: #VU124192
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23256
CWE-ID: CWE-782
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a memory leak.
The vulnerability exists due to an off-by-one error in the VF setup_nic_devices() cleanup function in the net: liquidio component when initializing network devices. A local user can trigger a failure during device setup to cause a memory leak.
The vulnerability specifically affects the cleanup logic in setup_nic_devices() where the loop fails to release memory for the current index on error path. This requires the ability to configure or trigger virtual function (VF) device initialization, typically available to privileged users.
How to mitigate CVE-2026-23256
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/01fbca1e93ec3f39f76c31a8f9afa32ce00da48a
- https://git.kernel.org/stable/c/3bf519e39b51cb08a93c0599870b35a23db1031e
- https://git.kernel.org/stable/c/4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd
- https://git.kernel.org/stable/c/52b19b3a22306fe452ec9e8ff96063f4bfb77b99
- https://git.kernel.org/stable/c/6cbba46934aefdfb5d171e0a95aec06c24f7ca30
- https://git.kernel.org/stable/c/71a56b89203ec7e5670d94a61a9b4ae617eca804
- https://git.kernel.org/stable/c/bd680e56e316be92c01568be98d85d7a6c9bd92c