{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23013", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.940Z", "datePublished": "2026-01-25T14:36:26.208Z", "dateUpdated": "2026-05-11T21:58:18.995Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:18.995Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback\n\noctep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to\nioq_vector. If request_irq() fails part-way, the rollback loop calls\nfree_irq() with dev_id set to 'oct', which does not match the original\ndev_id and may leave the irqaction registered.\n\nThis can keep IRQ handlers alive while ioq_vector is later freed during\nunwind/teardown, leading to a use-after-free or crash when an interrupt\nfires.\n\nFix the error path to free IRQs with the same ioq_vector dev_id used\nduring request_irq()."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c"], "versions": [{"version": "1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1", "lessThan": "aa05a8371ae4a452df623f7202c72409d3c50e40", "status": "affected", "versionType": "git"}, {"version": "1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1", "lessThan": "aa4c066229b05fc3d3c5f42693d25b1828533b6e", "status": "affected", "versionType": "git"}, {"version": "1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1", "lessThan": "f93fc5d12d69012788f82151bee55fce937e1432", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.67", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40"}, {"url": "https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e"}, {"url": "https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432"}], "title": "net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "89E789F9-62FD-41A3-B2A9-965C05F50BB1", "versionEndExcluding": "6.12.67", "versionStartIncluding": "6.9.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436", "versionEndExcluding": "6.18.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*", "matchCriteriaId": "3F2A4A3D-068A-4CF2-A09F-9C7937DDB0A5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback\n\noctep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to\nioq_vector. If request_irq() fails part-way, the rollback loop calls\nfree_irq() with dev_id set to 'oct', which does not match the original\ndev_id and may leave the irqaction registered.\n\nThis can keep IRQ handlers alive while ioq_vector is later freed during\nunwind/teardown, leading to a use-after-free or crash when an interrupt\nfires.\n\nFix the error path to free IRQs with the same ioq_vector dev_id used\nduring request_irq()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: octeon_ep_vf: corregir la falta de coincidencia de dev_id de free_irq en la reversi\u00f3n de IRQ\n\noctep_vf_request_irqs() solicita IRQs de cola MSI-X con dev_id establecido en ioq_vector. Si request_irq() falla a mitad de camino, el bucle de reversi\u00f3n llama a free_irq() con dev_id establecido en 'oct', lo que no coincide con el dev_id original y puede dejar la irqaction registrada.\n\nEsto puede mantener los manejadores de IRQ activos mientras ioq_vector es liberado posteriormente durante el desenrollado/desmontaje, lo que lleva a un uso despu\u00e9s de liberaci\u00f3n o un fallo cuando se dispara una interrupci\u00f3n.\n\nCorregir la ruta de error para liberar IRQs con el mismo dev_id de ioq_vector utilizado durante request_irq()."}], "id": "CVE-2026-23013", "lastModified": "2026-04-03T14:16:22.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-25T15:15:56.173", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback", "id": "2432668", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432668"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23013", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23013\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23013\nhttps://lore.kernel.org/linux-cve-announce/2026012538-CVE-2026-23013-303c@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-15T21:35:35.322264+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that includes the fix for the IRQ rollback dev_id mismatch (e.g., the latest stable 6.19 or newer release).", "If an upgrade is not immediately possible, restrict the installation or loading of drivers that use the octeon_ep_vf interface and limit privileged device access to trusted users only. ", "While a temporary workaround is not supplied, monitor kernel logs for IRQ-related panics and apply any community patches that correct the free_irq dev_id handling if they become available."], "summary": {"action": "Immediate Patch", "impact": "Use-After-Free leading to kernel crash and denial of service"}, "threat_synthesis": {"affected_systems": "The issue appears in Linux kernel releases 6.19 in all release\u2011candidate builds and in kernel 6.9. Any system running one of these kernel versions, including development branches and early releases, is potentially impacted.", "description_and_impact": "A mismatch between the device identifier used when requesting MSI-X IRQs and the one used when freeing them can leave an IRQ action registered with an incorrect identifier. If the IRQ handler remains active after the associated device structure has been freed, an interrupt may trigger a use-after-free or cause a kernel crash. The flaw is classified as a use-after-free vulnerability.", "risk_and_exploitability": "With a CVSS score of 7 the potential impact is high, but the EPSS score of less than 1\u202f% and absence from the KEV catalog suggest a low likelihood of widespread exploitation. A local or privileged adversary that can trigger the faulty IRQ rollback path could cause a denial of service by crashing the kernel. The vulnerability is unlikely to be remotely exploitable without prior access to the affected system."}}}}, "created": "2026-04-15T21:45:14.143171+00:00", "updated": "2026-04-15T21:45:14.143191+00:00", "vendors": []}