{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22994", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.937Z", "datePublished": "2026-01-23T15:24:14.749Z", "dateUpdated": "2026-05-11T21:57:56.914Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:56.914Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bpf/test_run.c"], "versions": [{"version": "1c194998252469cad00a08bd9ef0b99fd255c260", "lessThan": "368569bc546d3368ee9980ba79fc42fdff9a3365", "status": "affected", "versionType": "git"}, {"version": "1c194998252469cad00a08bd9ef0b99fd255c260", "lessThan": "98676ee71fd4eafeb8be63c7f3f1905d40e03101", "status": "affected", "versionType": "git"}, {"version": "1c194998252469cad00a08bd9ef0b99fd255c260", "lessThan": "fb9ef40cccdbacce36029b305d0ef1e12e4fea38", "status": "affected", "versionType": "git"}, {"version": "1c194998252469cad00a08bd9ef0b99fd255c260", "lessThan": "737be05a765761d7d7c9f7fe92274bd8e6f6951e", "status": "affected", "versionType": "git"}, {"version": "1c194998252469cad00a08bd9ef0b99fd255c260", "lessThan": "ec69daabe45256f98ac86c651b8ad1b2574489a7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bpf/test_run.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.161", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.121", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.66", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.161"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.121"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.66"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365"}, {"url": "https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101"}, {"url": "https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38"}, {"url": "https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e"}, {"url": "https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7"}], "title": "bpf: Fix reference count leak in bpf_prog_test_run_xdp()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8396A00-9DF6-4F41-B27A-476CA41851D0", "versionEndExcluding": "6.1.161", "versionStartIncluding": "5.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB7A164B-7422-4A1C-82FB-5FCAEE53C06C", "versionEndExcluding": "6.6.121", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F72B884C-B44F-40E4-9895-CE421AC663D0", "versionEndExcluding": "6.12.66", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md()."}], "id": "CVE-2026-22994", "lastModified": "2026-02-26T17:19:00.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T16:15:55.490", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bpf: Fix reference count leak in bpf_prog_test_run_xdp()", "id": "2432396", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432396"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22994", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22994\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22994\nhttps://lore.kernel.org/linux-cve-announce/2026012352-CVE-2026-22994-ab5f@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:53:59.043538+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit that fixes the reference count leak in bpf_prog_test_run_xdp()", "Restrict usage of the BPF_PROG_TEST_RUN interface by removing CAP_SYS_ADMIN from untrusted users or applying kernel capability restrictions", "Monitor kernel logs for 'unregister_netdevice: waiting...' warnings and kernel memory usage, and investigate any persistent leaks"], "summary": {"action": "Update kernel", "impact": "Resource exhaustion leading to possible denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases are listed in the CPE data; the vulnerability was identified in early 6.19 release candidates (rc1\u2011rc5). Any system using those kernels or earlier ones until the fix was integrated is potentially impacted. The patch is part of the mainline kernel; administrators should verify that their kernel build includes the commits that resolve the leak.", "description_and_impact": "The kernel bug causes a reference count to leak when running certain BPF programs with XDP using the test run interface. This leads to an unmanaged increase in kernel memory and pointer references, which over time can exhaust resources and destabilize the system. The flaw is a classic resource leak and does not directly grant arbitrary code execution or privilege escalation, but it can degrade availability if exploited repeatedly.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while an EPSS score under 1% implies a low likelihood of exploitation in the wild. Based on the description, it is inferred that using the BPF_PROG_TEST_RUN interface typically requires elevated privileges such as root or CAP_SYS_ADMIN. Because the bug involves kernel reference counters, concluding that unprivileged users would not be able to exploit it directly requires inference; the CVE description does not state this explicitly. The bug is not currently listed in the CISA KEV catalog, further reducing its prominence as a target for adversaries."}}}}, "created": "2026-04-18T19:00:08.041356+00:00", "updated": "2026-04-18T19:00:08.041377+00:00", "vendors": []}