Description
In the Linux kernel, the following vulnerability has been resolved:

xsk: Fix fragment node deletion to prevent buffer leak

After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"),
the list_node field is reused for both the xskb pool list and the buffer
free list, this causes a buffer leak as described below.

xp_free() checks if a buffer is already on the free list using
list_empty(&xskb->list_node). When list_del() is used to remove a node
from the xskb pool list, it doesn't reinitialize the node pointers.
This means list_empty() will return false even after the node has been
removed, causing xp_free() to incorrectly skip adding the buffer to the
free list.

Fix this by using list_del_init() instead of list_del() in all fragment
handling paths, this ensures the list node is reinitialized after removal,
allowing the list_empty() to work correctly.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Buffer Leak Leading to Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

The vulnerability exposes a buffer leak in the Linux kernel’s eXpress Data Path (XDP) socket (xsk) fragment handling. A node removed from the packet buffer pool list was not re‑initialized, causing the free‑list test to fail and preventing the buffer from being added back to the pool. This results in incrementally increasing memory usage as buffers are leaked. The weakness is a classic buffer leak, classified as CWE‑909, and can lead to degraded system performance or denial of service if the leak is exploited extensively.

Affected Systems

The flaw affects all Linux kernel releases that include the flawed xsk fragment handling logic prior to the commit that replaces list_del() with list_del_init(). Users of any distribution’s kernel that has not been updated to include this patch are vulnerable. The issue applies to kernel components associated with network packet handling and XDP socket (xsk) buffers. No specific vendor version numbers are listed; any kernel version lacking the patch is susceptible.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not currently listed in the CISA KEV catalog. While the description does not state an explicit attack vector, the nature of the bug implies that an attacker would need to trigger the XDP fragment handling path—likely by sending a large number or specially crafted packets to a network interface configured for xsk. This inference points to a local or network‑based denial of service risk rather than remote code execution.

Generated by OpenCVE AI on March 26, 2026 at 13:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains commit b692bf9a7543 or any newer version that uses list_del_init for XDP fragment handling.
  • Verify your running kernel version with uname -r or by checking /boot/vmlinuz; ensure it includes the fix before asserting the system is protected.
  • If an immediate kernel update is not possible, monitor system memory usage and kernel logs for signs of the xsk buffer leak; apply temporary tuning or restrict XDP traffic until the patch can be deployed.
  • Consider disabling or reconfiguring XDP sockets on interfaces that do not need high‑speed packet processing to reduce the attack surface until the vulnerability is fully mitigated.

Generated by OpenCVE AI on March 26, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free list, this causes a buffer leak as described below. xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list. Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.
Title xsk: Fix fragment node deletion to prevent buffer leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:05:01.188Z

Reserved: 2026-01-13T15:37:45.996Z

Link: CVE-2026-23326

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:29.687

Modified: 2026-04-23T21:11:17.750

Link: CVE-2026-23326

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23326 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:46Z

Weaknesses