Description
In the Linux kernel, the following vulnerability has been resolved:

net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback

octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to
ioq_vector. If request_irq() fails part-way, the rollback loop calls
free_irq() with dev_id set to 'oct', which does not match the original
dev_id and may leave the irqaction registered.

This can keep IRQ handlers alive while ioq_vector is later freed during
unwind/teardown, leading to a use-after-free or crash when an interrupt
fires.

Fix the error path to free IRQs with the same ioq_vector dev_id used
during request_irq().
Published: 2026-01-25
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free leading to kernel crash and denial of service
Action: Immediate Patch
AI Analysis

Impact

A mismatch between the device identifier used when requesting MSI-X IRQs and the one used when freeing them can leave an IRQ action registered with an incorrect identifier. If the IRQ handler remains active after the associated device structure has been freed, an interrupt may trigger a use-after-free or cause a kernel crash. The flaw is classified as a use-after-free vulnerability.

Affected Systems

The issue appears in Linux kernel releases 6.19 in all release‑candidate builds and in kernel 6.9. Any system running one of these kernel versions, including development branches and early releases, is potentially impacted.

Risk and Exploitability

With a CVSS score of 7 the potential impact is high, but the EPSS score of less than 1 % and absence from the KEV catalog suggest a low likelihood of widespread exploitation. A local or privileged adversary that can trigger the faulty IRQ rollback path could cause a denial of service by crashing the kernel. The vulnerability is unlikely to be remotely exploitable without prior access to the affected system.

Generated by OpenCVE AI on April 15, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the fix for the IRQ rollback dev_id mismatch (e.g., the latest stable 6.19 or newer release).
  • If an upgrade is not immediately possible, restrict the installation or loading of drivers that use the octeon_ep_vf interface and limit privileged device access to trusted users only.
  • While a temporary workaround is not supplied, monitor kernel logs for IRQ-related panics and apply any community patches that correct the free_irq dev_id handling if they become available.

Generated by OpenCVE AI on April 15, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6126-1 linux security update
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 26 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sun, 25 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().
Title net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:31:49.868Z

Reserved: 2026-01-13T15:37:45.940Z

Link: CVE-2026-23013

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-01-25T15:15:56.173

Modified: 2026-04-03T14:16:22.217

Link: CVE-2026-23013

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-23013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses