Description
In the Linux kernel, the following vulnerability has been resolved:

macvlan: fix possible UAF in macvlan_forward_source()

Add RCU protection on (struct macvlan_source_entry)->vlan.

Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.

This allows macvlan_forward_source() to skip over
entries queued for freeing.

Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).

https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Published: 2026-01-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation via Kernel Use-After-Free
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in the Linux kernel’s macvlan subsystem. A use‑after‑free condition within macvlan_forward_source() allows an attacker to manipulate the VLAN pointer during a deletion sequence. If successful, the kernel may execute code in an uncontrolled context, potentially granting the attacker kernel‑level privileges. This flaw is linked to CWE‑416 and carries a CVSS score of 7.8. The description indicates that the issue was resolved by adding RCU protection and clearing the pointer before the grace period starts, preventing stale references.

Affected Systems

Affected products are Linux kernel releases that incorporate the macvlan code path, notably kernel 3.18 and the 6.19 release candidates from rc1 through rc8. The CPE list also references the generic Linux kernel family, implying any kernel version lacking the applied patch is susceptible. Systems running one of these kernels without the fix remain vulnerable.

Risk and Exploitability

The CVSS base score of 7.8 indicates high severity, but the EPSS score of less than 1% suggests a currently low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread or confirmed attacks have been reported yet. Attackers would need to trigger a packet processing path that deletes a macvlan source entry while an attacker controls the associated VLAN pointer, implying local or possibly remote code execution if the attacker can manipulate traffic directed to the kernel.

Generated by OpenCVE AI on April 18, 2026 at 02:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the UAF fix, such as kernel 6.19 rc8 or later stable releases.
  • For systems that cannot be upgraded immediately, verify that the patch commit 15f6faf36e162532bec5cc05eb3fc622108bf2ed has been applied to your kernel source and rebuild.
  • As a temporary measure, disable macvlan interfaces or restrict traffic that triggers macvlan_forward_source() until a patched kernel is deployed.

Generated by OpenCVE AI on April 18, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-4 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-5 Linux kernel (IBM) vulnerabilities
History

Wed, 25 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:3.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 30 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sun, 25 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Title macvlan: fix possible UAF in macvlan_forward_source()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:53.776Z

Reserved: 2026-01-13T15:37:45.938Z

Link: CVE-2026-23001

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-25T15:15:54.970

Modified: 2026-03-25T19:23:11.063

Link: CVE-2026-23001

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-23001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses