CVE-2026-23294 - Vulnerability Details

- bpf: Fix race in devmap on PREEMPT_RT

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix race in devmap on PREEMPT_RT

On PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be
accessed concurrently by multiple preemptible tasks on the same CPU.

The original code assumes bq_enqueue() and __dev_flush() run atomically
with respect to each other on the same CPU, relying on
local_bh_disable() to prevent preemption. However, on PREEMPT_RT,
local_bh_disable() only calls migrate_disable() (when
PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable
preemption, which allows CFS scheduling to preempt a task during
bq_xmit_all(), enabling another task on the same CPU to enter
bq_enqueue() and operate on the same per-CPU bq concurrently.

This leads to several races:

1. Double-free / use-after-free on bq->q[]: bq_xmit_all() snapshots
cnt = bq->count, then iterates bq->q[0..cnt-1] to transmit frames.
If preempted after the snapshot, a second task can call bq_enqueue()
-> bq_xmit_all() on the same bq, transmitting (and freeing) the
same frames. When the first task resumes, it operates on stale
pointers in bq->q[], causing use-after-free.

2. bq->count and bq->q[] corruption: concurrent bq_enqueue() modifying
bq->count and bq->q[] while bq_xmit_all() is reading them.

3. dev_rx/xdp_prog teardown race: __dev_flush() clears bq->dev_rx and
bq->xdp_prog after bq_xmit_all(). If preempted between
bq_xmit_all() return and bq->dev_rx = NULL, a preempting
bq_enqueue() sees dev_rx still set (non-NULL), skips adding bq to
the flush_list, and enqueues a frame. When __dev_flush() resumes,
it clears dev_rx and removes bq from the flush_list, orphaning the
newly enqueued frame.

4. __list_del_clearprev() on flush_node: similar to the cpumap race,
both tasks can call __list_del_clearprev() on the same flush_node,
the second dereferences the prev pointer already set to NULL.

The race between task A (__dev_flush -> bq_xmit_all) and task B
(bq_enqueue -> bq_xmit_all) on the same CPU:

Task A (xdp_do_flush) Task B (ndo_xdp_xmit redirect)
---------------------- --------------------------------
__dev_flush(flush_list)
bq_xmit_all(bq)
cnt = bq->count /* e.g. 16 */
/* start iterating bq->q[] */
<-- CFS preempts Task A -->
bq_enqueue(dev, xdpf)
bq->count == DEV_MAP_BULK_SIZE
bq_xmit_all(bq, 0)
cnt = bq->count /* same 16! */
ndo_xdp_xmit(bq->q[])
/* frames freed by driver */
bq->count = 0
<-- Task A resumes -->
ndo_xdp_xmit(bq->q[])
/* use-after-free: frames already freed! */

Fix this by adding a local_lock_t to xdp_dev_bulk_queue and acquiring
it in bq_enqueue() and __dev_flush(). These paths already run under
local_bh_disable(), so use local_lock_nested_bh() which on non-RT is
a pure annotation with no overhead, and on PREEMPT_RT provides a
per-CPU sleeping lock that serializes access to the bq.

Published: 2026-03-25

Score: 7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A data‑race vulnerability exists in the Linux kernel’s XDP devmap handling on PREEMPT_RT builds. Concurrent access to the per‑CPU xdp_dev_bulk_queue can cause double‑free, use‑after‑free, and queue corruption during frame transmission. These conditions can corrupt kernel memory, crash the system, and may enable an attacker to gain higher privileges or cause a denial of service.

Affected Systems

All Linux kernel installations compiled with PREEMPT_RT support. The flaw affects the XDP devmap interface used for high‑performance packet handling. No specific kernel version is listed, but the fix is integrated in the latest kernel source that includes the NICS commit referenced in the advisory.

Risk and Exploitability

The CVSS score of 7 indicates high severity, while the EPSS score of less than 1% suggests low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require race conditions on the same CPU, typically involving concurrent XDP traffic processing, and is likely limited to local or privileged attackers who can control XDP programs.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3253cb49cbad4772389d6ef55be75db1f97da910`	affected	< 6c10b019785dc282c5f45d21e4a3f468b8fd6476
`3253cb49cbad4772389d6ef55be75db1f97da910`	affected	< ab1a56c9d99189aa5c6e03940d06e40ba6a28240
`3253cb49cbad4772389d6ef55be75db1f97da910`	affected	< 1872e75375c40add4a35990de3be77b5741c252c

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3253cb49cbad4772389d6ef55be75db1f97da910,6c10b019785dc282c5f45d21e4a3f468b8fd6476)`	affected	code_commit	—
`[3253cb49cbad4772389d6ef55be75db1f97da910,ab1a56c9d99189aa5c6e03940d06e40ba6a28240)`	affected	code_commit	—
`[3253cb49cbad4772389d6ef55be75db1f97da910,1872e75375c40add4a35990de3be77b5741c252c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix for CVE-2026-23294 (the relevant commit is documented in the advisory).
If unable to upgrade immediately, restrict or disable XDP program usage on PREEMPT_RT kernels until a patched kernel is available.

Generated by OpenCVE AI on April 2, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1872e75375c40add4a35990de3be77b5741c252c
https://git.kernel.org/stable/c/6c10b019785dc282c5f45d21e4a3f468b8fd6476
https://git.kernel.org/stable/c/ab1a56c9d99189aa5c6e03940d06e40ba6a28240
https://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23294-1682@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23294
https://www.cve.org/CVERecord?id=CVE-2026-23294

History

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23294-1682@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23294 https://www.cve.org/CVERecord?id=CVE-2026-23294

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in devmap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue() and __dev_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_xmit_all(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently. This leads to several races: 1. Double-free / use-after-free on bq->q[]: bq_xmit_all() snapshots cnt = bq->count, then iterates bq->q[0..cnt-1] to transmit frames. If preempted after the snapshot, a second task can call bq_enqueue() -> bq_xmit_all() on the same bq, transmitting (and freeing) the same frames. When the first task resumes, it operates on stale pointers in bq->q[], causing use-after-free. 2. bq->count and bq->q[] corruption: concurrent bq_enqueue() modifying bq->count and bq->q[] while bq_xmit_all() is reading them. 3. dev_rx/xdp_prog teardown race: __dev_flush() clears bq->dev_rx and bq->xdp_prog after bq_xmit_all(). If preempted between bq_xmit_all() return and bq->dev_rx = NULL, a preempting bq_enqueue() sees dev_rx still set (non-NULL), skips adding bq to the flush_list, and enqueues a frame. When __dev_flush() resumes, it clears dev_rx and removes bq from the flush_list, orphaning the newly enqueued frame. 4. __list_del_clearprev() on flush_node: similar to the cpumap race, both tasks can call __list_del_clearprev() on the same flush_node, the second dereferences the prev pointer already set to NULL. The race between task A (__dev_flush -> bq_xmit_all) and task B (bq_enqueue -> bq_xmit_all) on the same CPU: Task A (xdp_do_flush) Task B (ndo_xdp_xmit redirect) ---------------------- -------------------------------- __dev_flush(flush_list) bq_xmit_all(bq) cnt = bq->count /* e.g. 16 / / start iterating bq->q[] / <-- CFS preempts Task A --> bq_enqueue(dev, xdpf) bq->count == DEV_MAP_BULK_SIZE bq_xmit_all(bq, 0) cnt = bq->count / same 16! / ndo_xdp_xmit(bq->q[]) / frames freed by driver / bq->count = 0 <-- Task A resumes --> ndo_xdp_xmit(bq->q[]) / use-after-free: frames already freed! */ Fix this by adding a local_lock_t to xdp_dev_bulk_queue and acquiring it in bq_enqueue() and __dev_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.
Title		bpf: Fix race in devmap on PREEMPT_RT
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1872e75375c40add4a35990de3be77b5741c252c https://git.kernel.org/stable/c/6c10b019785dc282c5f45d21e4a3f468b8fd6476 https://git.kernel.org/stable/c/ab1a56c9d99189aa5c6e03940d06e40ba6a28240

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:51.946Z

Updated: 2026-04-13T06:03:48.527Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23294

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:24.697

Modified: 2026-04-02T15:16:30.507

Link: CVE-2026-23294

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23294 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:23:09Z

Weaknesses

CWE-364

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object