Use After Free in Linux kernel - CVE-2026-23322

 

Use After Free in Linux kernel - CVE-2026-23322

Published: March 25, 2026


Vulnerability identifier: #VU124518
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23322
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code or cause a denial of service.

The vulnerability exists due to use-after-free in the IPMI subsystem when handling message sending errors. A local user can trigger a sequence of sender errors to cause list corruption and use-after-free, leading to memory corruption and potential arbitrary code execution or system crash.

Exploitation requires the ability to send messages through the IPMI interface, which is typically accessible to local users with appropriate permissions.


How to mitigate CVE-2026-23322

Install security update from vendor's repository.

Sources