{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23326", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:19.021Z", "dateUpdated": "2026-03-25T10:27:19.021Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:19.021Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/xdp/xsk.c"], "versions": [{"version": "560c974b7ccd95bb9ff20df77f6654283e45c9c6", "lessThan": "5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d", "status": "affected", "versionType": "git"}, {"version": "fd5614763805d6f386bd07cc53558f88b1b1eb62", "lessThan": "2a9ea988465ece5b6896b1bdc144170a64e84c35", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "645c6d8376ad4913cbffe0e0c2cca0c4febbe596", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "b38cbd4af5034635cff109e08788c63f956f3a69", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "60abb0ac11dccd6b98fd9182bc5f85b621688861", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/xdp/xsk.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d"}, {"url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35"}, {"url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596"}, {"url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69"}, {"url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861"}], "title": "xsk: Fix fragment node deletion to prevent buffer leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly."}], "id": "CVE-2026-23326", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:29.687", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: xsk: Fix fragment node deletion to prevent buffer leak", "id": "2451215", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451215"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel. An issue in the eXpress Data Path (XDP) socket (xsk) component, specifically during fragment node deletion, can lead to a buffer leak. This occurs because a list node is not properly reinitialized after removal, causing the system to incorrectly manage memory. This could potentially lead to system instability or a denial of service."], "name": "CVE-2026-23326", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23326\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23326\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23326-ffc6@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:43:25.941089+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that contains the patched commit b692bf9a7543", "Verify the kernel version to ensure replacement of list_del with list_del_init in the xsk fragment handling code"], "summary": {"action": "Patch Now", "impact": "Memory Resource Exhaustion due to kernel buffer leak"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel on any system that implements the XDP socket (xsk) path and has not yet incorporated the commit that replaces list_del with list_del_init. No specific kernel release versions are listed, so all affected builds prior to the patch could be vulnerable.", "description_and_impact": "A flaw in the Linux kernel\u2019s XDP socket implementation causes a buffer leak when fragment nodes are removed from a list without reinitializing the list pointers. As a result, the free routine fails to add the buffer back to the free pool, leading to uncontrolled memory consumption. The defect can degrade system availability by exhausting kernel memory, potentially enabling denial\u2011of\u2011service attacks or worsening other vulnerabilities that rely on available memory.", "risk_and_exploitability": "The CVSS score and EPSS are not available, and the issue is not listed in the CISA KEV catalog. The flaw requires kernel execution to trigger the memory leak, meaning it is a local issue that could lead to resource exhaustion rather than direct remote code execution. Attackers with local kernel privileges could repeatedly trigger the leak to cause a denial\u2011of\u2011service condition. While the vulnerability alone does not provide a straightforward exploitation pathway, it raises the overall attack surface and impact for systems running unpatched kernels."}}}}, "created": "2026-03-25T21:27:35.030841+00:00", "updated": "2026-03-25T21:27:35.030883+00:00", "vendors": [], "weaknesses": ["CWE-401"]}