Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix reference count leak in bpf_prog_test_run_xdp()

syzbot is reporting

unregister_netdevice: waiting for sit0 to become free. Usage count = 2

problem. A debug printk() patch found that a refcount is obtained at
xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().

According to commit ec94670fcb3b ("bpf: Support specifying ingress via
xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by
xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().

Therefore, we can consider that the error handling path introduced by
commit 1c1949982524 ("bpf: introduce frags support to
bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
Published: 2026-01-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource exhaustion leading to possible denial of service
Action: Update kernel
AI Analysis

Impact

The kernel bug causes a reference count to leak when running certain BPF programs with XDP using the test run interface. This leads to an unmanaged increase in kernel memory and pointer references, which over time can exhaust resources and destabilize the system. The flaw is a classic resource leak and does not directly grant arbitrary code execution or privilege escalation, but it can degrade availability if exploited repeatedly.

Affected Systems

All Linux kernel releases are listed in the CPE data; the vulnerability was identified in early 6.19 release candidates (rc1‑rc5). Any system using those kernels or earlier ones until the fix was integrated is potentially impacted. The patch is part of the mainline kernel; administrators should verify that their kernel build includes the commits that resolve the leak.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while an EPSS score under 1% implies a low likelihood of exploitation in the wild. Based on the description, it is inferred that using the BPF_PROG_TEST_RUN interface typically requires elevated privileges such as root or CAP_SYS_ADMIN. Because the bug involves kernel reference counters, concluding that unprivileged users would not be able to exploit it directly requires inference; the CVE description does not state this explicitly. The bug is not currently listed in the CISA KEV catalog, further reducing its prominence as a target for adversaries.

Generated by OpenCVE AI on April 18, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit that fixes the reference count leak in bpf_prog_test_run_xdp()
  • Restrict usage of the BPF_PROG_TEST_RUN interface by removing CAP_SYS_ADMIN from untrusted users or applying kernel capability restrictions
  • Monitor kernel logs for 'unregister_netdevice: waiting...' warnings and kernel memory usage, and investigate any persistent leaks

Generated by OpenCVE AI on April 18, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
History

Thu, 26 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
Title bpf: Fix reference count leak in bpf_prog_test_run_xdp()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:45.690Z

Reserved: 2026-01-13T15:37:45.937Z

Link: CVE-2026-22994

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:55.490

Modified: 2026-02-26T17:19:00.130

Link: CVE-2026-22994

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22994 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses