CVE-2026-23273 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

macvlan: observe an RCU grace period in macvlan_common_newlink() error path

valis reported that a race condition still happens after my prior patch.

macvlan_common_newlink() might have made @dev visible before
detecting an error, and its caller will directly call free_netdev(dev).

We must respect an RCU period, either in macvlan or the core networking
stack.

After adding a temporary mdelay(1000) in macvlan_forward_source_one()
to open the race window, valis repro was:

ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source

(ip link add invalid% link p2 type macvlan mode source macaddr add
00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4
PING 1.2.3.4 (1.2.3.4): 56 data bytes
RTNETLINK answers: Invalid argument

BUG: KASAN: slab-use-after-free in macvlan_forward_source
(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
Read of size 8 at addr ffff888016bb89c0 by task e/175

CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
kasan_report (mm/kasan/report.c:597)
? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)
? tasklet_init (kernel/softirq.c:983)
macvlan_handle_frame (drivers/net/macvlan.c:501)

Allocated by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
__kasan_kmalloc (mm/kasan/common.c:419)
__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657
mm/slub.c:7140)
alloc_netdev_mqs (net/core/dev.c:12012)
rtnl_create_link (net/core/rtnetlink.c:3648)
rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)

Freed by task 169:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/x86/include/asm/current.h:25
mm/kasan/common.c:70 mm/kasan/common.c:79)
kasan_save_free_info (mm/kasan/generic.c:587)
__kasan_slab_free (mm/kasan/common.c:287)
kfree (mm/slub.c:6674 mm/slub.c:6882)
rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957
net/core/rtnetlink.c:4072)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`da5c6b8ae47e414be47e5e04def15b25d5c962dc`	affected	< 91e4ff8d966978901630fc29582c1a76d3c6e46c
`5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a`	affected	< 3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4
`c43d0e787cbba569ec9d11579ed370b50fab6c9c`	affected	< 721eb342d9ba19bad5c4815ea3921465158b7362
`11ba9f0dc865136174cb98834280fb21bbc950c7`	affected	< 19c7d8ac51988d053709c1e85bd8482076af845d
`986967a162142710076782d5b93daab93a892980`	affected	< a1f686d273d129b45712d95f4095843b864466bd
`cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66`	affected	< d34f7a8aa9a25b7e64e0e46e444697c0f702374d
`f8db6475a83649689c087a8f52486fcc53e627e9`	affected	< 1e58ae87ad1e6e24368dea9aec9048c758cd0e2b
`f8db6475a83649689c087a8f52486fcc53e627e9`	affected	< e3f000f0dee1bfab52e2e61ca6a3835d9e187e35

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[da5c6b8ae47e414be47e5e04def15b25d5c962dc,91e4ff8d966978901630fc29582c1a76d3c6e46c)`	affected	code_commit	—
`[5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a,3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4)`	affected	code_commit	—
`[c43d0e787cbba569ec9d11579ed370b50fab6c9c,721eb342d9ba19bad5c4815ea3921465158b7362)`	affected	code_commit	—
`[11ba9f0dc865136174cb98834280fb21bbc950c7,19c7d8ac51988d053709c1e85bd8482076af845d)`	affected	code_commit	—
`[986967a162142710076782d5b93daab93a892980,a1f686d273d129b45712d95f4095843b864466bd)`	affected	code_commit	—
`[cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66,d34f7a8aa9a25b7e64e0e46e444697c0f702374d)`	affected	code_commit	—
`[f8db6475a83649689c087a8f52486fcc53e627e9,e3f000f0dee1bfab52e2e61ca6a3835d9e187e35)`	affected	code_commit	—
`[f8db6475a83649689c087a8f52486fcc53e627e9,e3f000f0dee1bfab52e2e61ca6a3835d9e187e35)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d
https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b
https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4
https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362
https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c
https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd
https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d
https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35
https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23273-3669@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23273
https://www.cve.org/CVERecord?id=CVE-2026-23273

History

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23273-3669@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23273 https://www.cve.org/CVERecord?id=CVE-2026-23273
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 20 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Fri, 20 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 20 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev). We must respect an RCU period, either in macvlan or the core networking stack. After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the race window, valis repro was: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source (ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4 PING 1.2.3.4 (1.2.3.4): 56 data bytes RTNETLINK answers: Invalid argument BUG: KASAN: slab-use-after-free in macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) Read of size 8 at addr ffff888016bb89c0 by task e/175 CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) kasan_report (mm/kasan/report.c:597) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) ? tasklet_init (kernel/softirq.c:983) macvlan_handle_frame (drivers/net/macvlan.c:501) Allocated by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) __kasan_kmalloc (mm/kasan/common.c:419) __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657 mm/slub.c:7140) alloc_netdev_mqs (net/core/dev.c:12012) rtnl_create_link (net/core/rtnetlink.c:3648) rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Freed by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_free_info (mm/kasan/generic.c:587) __kasan_slab_free (mm/kasan/common.c:287) kfree (mm/slub.c:6674 mm/slub.c:6882) rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
Title		macvlan: observe an RCU grace period in macvlan_common_newlink() error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4 https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362 https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-20T08:08:54.111Z

Updated: 2026-03-20T08:08:54.111Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23273

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-20T09:16:12.847

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-23273

Redhat

Severity : Moderate

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23273 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T16:27:50Z

Weaknesses

CWE-364

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

Tracking

JSON object

JSON object

JSON object

JSON object

JSON object