Description
In the Linux kernel, the following vulnerability has been resolved:

net: add proper RCU protection to /proc/net/ptype

Yin Fengwei reported an RCU stall in ptype_seq_show() and provided
a patch.

Real issue is that ptype_seq_next() and ptype_seq_show() violate
RCU rules.

ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev
to get device name without any barrier.

At the same time, concurrent writers can remove a packet_type structure
(which is correctly freed after an RCU grace period) and clear pt->dev
without an RCU grace period.

Define ptype_iter_state to carry a dev pointer along seq_net_private:

struct ptype_iter_state {
struct seq_net_private p;
struct net_device *dev; // added in this patch
};

We need to record the device pointer in ptype_get_idx() and
ptype_seq_next() so that ptype_seq_show() is safe against
concurrent pt->dev changes.

We also need to add full RCU protection in ptype_seq_next().
(Missing READ_ONCE() when reading list.next values)

Many thanks to Dong Chenchen for providing a repro.
Published: 2026-03-18
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential kernel freeze or crash due to improper RCU handling
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is caused by a violation of RCU (Read‑Copy‑Update) rules in the Linux kernel’s handling of /proc/net/ptype. The routine ptype_seq_show() obtains a device pointer while holding rcu_read_lock() without a memory barrier, and concurrent writers can delete the packet_type structure and clear its device pointer without waiting for an RCU grace period. This race can lead to a kernel stall or crash because the reader may access freed or invalid data, compromising system availability.

Affected Systems

All Linux kernel builds that do not contain the patch that adds proper RCU protection to /proc/net/ptype are affected. That includes all kernels before the commit that introduced the ptype_iter_state struct and the READ_ONCE() safeguards. The issue touches the core networking subsystem, so any system running an unpatched kernel is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation in the wild. An attacker would need to induce a race condition against the packet_type list, which typically requires local or privileged access to manipulate /proc/net/ptype or to load drivers that modify packet_type entries. The most likely attack vector is a local privilege escalation or a malicious kernel module that performs concurrent modifications, though a remote attacker might trigger it through network traffic that causes concurrent writes if such an interface is exposed.

Generated by OpenCVE AI on March 27, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the RCU protection patch, typically released in the latest stable kernel series.
  • Verify the patch by checking the commit log for the changes to ptype_seq_show() and ptype_seq_next().
  • If an immediate kernel upgrade is not possible, restrict access to /proc/net/ptype and limit the use of packet_type configurations to trusted administrators.
  • Monitor system logs for signs of kernel stalling or repeated RCU warnings and apply the patch as soon as a suitable update becomes available.

Generated by OpenCVE AI on March 27, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
CWE-416

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-665

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-665

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
CWE-788

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
CWE-788

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-360
CWE-416

Wed, 25 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-360
CWE-416

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.
Title net: add proper RCU protection to /proc/net/ptype
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T11:30:54.294Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23255

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:23.687

Modified: 2026-04-02T12:16:19.657

Link: CVE-2026-23255

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23255 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:48:23Z

Weaknesses