Description
In the Linux kernel, the following vulnerability has been resolved:

netrom: fix double-free in nr_route_frame()

In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.

Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.
Published: 2026-02-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

The vulnerability is a double‐free flaw in the Linux kernel netrom code, triggered during nr_route_frame(). Old packet data is freed without checking whether the neighbor’s ax25 pointer is NULL, so when the pointer is NULL the caller frees the same buffer again. This double‑free can corrupt kernel memory, potentially causing a crash or, in the worst case, allowing an attacker to execute arbitrary code at kernel level. The CVE description itself states only that memory corruption can result; the possibility of remote code execution is inferred, not explicitly asserted.

Affected Systems

The bug exists in all Linux kernel releases that contain the original implementation of nr_route_frame, from kernel 2.6.12 (including its release candidates) through 6.19 rc6 and earlier. Any system running an unpatched kernel from this range is affected. The issue is specific to the netrom portion of the kernel; disabling that protocol eliminates the risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS value of less than 1% suggests exploitation is unlikely at present but not impossible. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires an attacker to send malformed or specially crafted netrom network packets to the target system, or to have local privileges that can trigger the double‑free. Thus, remote or local compromise of the netrom stack is inferred as the primary path for exploitation.

Generated by OpenCVE AI on April 16, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the netrom patch that guards against double‐free in nr_route_frame().
  • If the kernel version cannot be updated immediately, disable the netrom protocol or remove its module to eliminate the vulnerable code path.
  • If no official patch is available, manually apply the upstream commit that fixes the double‐free to your kernel source and rebuild.

Generated by OpenCVE AI on April 16, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-4 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-5 Linux kernel (IBM) vulnerabilities
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb.
Title netrom: fix double-free in nr_route_frame()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:31:55.725Z

Reserved: 2026-01-13T15:37:45.964Z

Link: CVE-2026-23098

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:20.680

Modified: 2026-04-03T14:16:23.193

Link: CVE-2026-23098

cve-icon Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23098 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:11Z

Weaknesses