Description
In the Linux kernel, the following vulnerability has been resolved:

idpf: fix memory leak of flow steer list on rmmod

The flow steering list maintains entries that are added and removed as
ethtool creates and deletes flow steering rules. Module removal with active
entries causes memory leak as the list is not properly cleaned up.

Prevent this by iterating through the remaining entries in the list and
freeing the associated memory during module removal. Add a spinlock
(flow_steer_list_lock) to protect the list access from multiple threads.
Published: 2026-01-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel idpf module contains a flaw where the flow steering list is not cleared when the module is removed while entries remain. The list holds pointers to memory that must be freed, and their omission causes a persistent memory leak that can grow over time. The cumulative leak can exhaust kernel address space, potentially leading to system instability or a denial‑of‑service condition. The weakness is improper deallocation of dynamically allocated memory (CWE-401).

Affected Systems

This issue affects the Linux kernel, specifically versions 6.17 and 6.19 from release candidate 1 up through release candidate 8. All distributions using these kernel releases are impacted, as the vulnerability is present in the core kernel source regardless of vendor customizations.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability is considered medium severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires local access to unload the idpf module while flow steering entries are still active; no remote attack vector is identified. The practical impact is a gradual deterioration of kernel memory availability that could terminate processes or lead to kernel panics if left unchecked.

Generated by OpenCVE AI on April 18, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the fix (e.g., the latest 6.19 release candidate or a stable release that incorporates the patch).
  • Reboot the system to ensure the updated kernel is active.
  • If frequent module removal is required, clear all flow steering entries before unloading the module to avoid the leak until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 31 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by iterating through the remaining entries in the list and freeing the associated memory during module removal. Add a spinlock (flow_steer_list_lock) to protect the list access from multiple threads.
Title idpf: fix memory leak of flow steer list on rmmod
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:18.088Z

Reserved: 2026-01-13T15:37:45.941Z

Link: CVE-2026-23024

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-31T12:16:05.720

Modified: 2026-03-25T15:57:34.290

Link: CVE-2026-23024

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23024 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses