Description
In the Linux kernel, the following vulnerability has been resolved:

ipmi: Fix use-after-free and list corruption on sender error

The analysis from Breno:

When the SMI sender returns an error, smi_work() delivers an error
response but then jumps back to restart without cleaning up properly:

1. intf->curr_msg is not cleared, so no new message is pulled
2. newmsg still points to the message, causing sender() to be called
again with the same message
3. If sender() fails again, deliver_err_response() is called with
the same recv_msg that was already queued for delivery

This causes list_add corruption ("list_add double add") because the
recv_msg is added to the user_msgs list twice. Subsequently, the
corrupted list leads to use-after-free when the memory is freed and
reused, and eventually a NULL pointer dereference when accessing
recv_msg->done.

The buggy sequence:

sender() fails
-> deliver_err_response(recv_msg) // recv_msg queued for delivery
-> goto restart // curr_msg not cleared!
sender() fails again (same message!)
-> deliver_err_response(recv_msg) // tries to queue same recv_msg
-> LIST CORRUPTION

Fix this by freeing the message and setting it to NULL on a send error.
Also, always free the newmsg on a send error, otherwise it will leak.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash and memory corruption
Action: Apply patch
AI Analysis

Impact

A flaw in the IPMI SMI sender’s error handling causes a message already queued for delivery to be processed again. This repeats the list insertion and corrupts the kernel message list, leading to a use‑after‑free and a subsequent NULL pointer dereference when the entry is accessed. The result is kernel memory corruption that can trigger a panic or denial of service.

Affected Systems

All Linux kernel versions that include the vulnerable IPMI implementation—i.e., any kernel released before the commit that clears the current message pointer and frees error messages—may be affected. The issue resides in the kernel itself, so any user‑space process or privileged component that interacts with the host’s IPMI interface can encounter the problem. Administrators should treat all older kernels as at risk until the patch is applied.

Risk and Exploitability

The estimated likelihood of exploitation is below one percent, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need to provoke the error path in the SMI sender, which typically requires local or privileged network access to an IPMI‑enabled host. Successful exploitation could cause a kernel crash and service interruption; while the damage could, in theory, lead to privilege escalation via kernel destabilization, the description does not confirm that code execution is feasible.

Generated by OpenCVE AI on March 27, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit clearing the current message pointer and freeing messages on error
  • If an upgrade cannot be performed immediately, disable or lock down the IPMI subsystem to trusted users or hosts
  • Continuously monitor vendor advisories and apply subsequent updates when available

Generated by OpenCVE AI on March 27, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-482

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-590

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-590

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix use-after-free and list corruption on sender error The analysis from Breno: When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly: 1. intf->curr_msg is not cleared, so no new message is pulled 2. newmsg still points to the message, causing sender() to be called again with the same message 3. If sender() fails again, deliver_err_response() is called with the same recv_msg that was already queued for delivery This causes list_add corruption ("list_add double add") because the recv_msg is added to the user_msgs list twice. Subsequently, the corrupted list leads to use-after-free when the memory is freed and reused, and eventually a NULL pointer dereference when accessing recv_msg->done. The buggy sequence: sender() fails -> deliver_err_response(recv_msg) // recv_msg queued for delivery -> goto restart // curr_msg not cleared! sender() fails again (same message!) -> deliver_err_response(recv_msg) // tries to queue same recv_msg -> LIST CORRUPTION Fix this by freeing the message and setting it to NULL on a send error. Also, always free the newmsg on a send error, otherwise it will leak.
Title ipmi: Fix use-after-free and list corruption on sender error
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:04:37.508Z

Reserved: 2026-01-13T15:37:45.996Z

Link: CVE-2026-23322

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:29.107

Modified: 2026-04-23T21:05:22.450

Link: CVE-2026-23322

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23322 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:30Z

Weaknesses