{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23072", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.957Z", "datePublished": "2026-02-04T16:07:52.790Z", "dateUpdated": "2026-05-11T21:59:27.431Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:27.431Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Fix memleak in l2tp_udp_encap_recv().\n\nsyzbot reported memleak of struct l2tp_session, l2tp_tunnel,\nsock, etc. [0]\n\nThe cited commit moved down the validation of the protocol\nversion in l2tp_udp_encap_recv().\n\nThe new place requires an extra error handling to avoid the\nmemleak.\n\nLet's call l2tp_session_put() there.\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff88810a290200 (size 512):\n comm \"syz.0.17\", pid 6086, jiffies 4294944299\n hex dump (first 32 bytes):\n 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc babb6a4f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n __do_kmalloc_node mm/slub.c:5656 [inline]\n __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778\n pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755\n __sys_connect_file+0x7a/0xb0 net/socket.c:2089\n __sys_connect+0xde/0x110 net/socket.c:2108\n __do_sys_connect net/socket.c:2114 [inline]\n __se_sys_connect net/socket.c:2111 [inline]\n __x64_sys_connect+0x1c/0x30 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/l2tp/l2tp_core.c"], "versions": [{"version": "364798056f518b0bf2f17cd9eaf0dd4e856d7393", "lessThan": "5cd158a88eef34e7b100cd9b963873d3b4e41b35", "status": "affected", "versionType": "git"}, {"version": "364798056f518b0bf2f17cd9eaf0dd4e856d7393", "lessThan": "d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d", "status": "affected", "versionType": "git"}, {"version": "364798056f518b0bf2f17cd9eaf0dd4e856d7393", "lessThan": "4d10edfd1475b69dbd4c47f34b61a3772ece83ca", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/l2tp/l2tp_core.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5cd158a88eef34e7b100cd9b963873d3b4e41b35"}, {"url": "https://git.kernel.org/stable/c/d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d"}, {"url": "https://git.kernel.org/stable/c/4d10edfd1475b69dbd4c47f34b61a3772ece83ca"}], "title": "l2tp: Fix memleak in l2tp_udp_encap_recv().", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B360F4B3-2812-43A4-9C53-C15FABD0EBFB", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Fix memleak in l2tp_udp_encap_recv().\n\nsyzbot reported memleak of struct l2tp_session, l2tp_tunnel,\nsock, etc. [0]\n\nThe cited commit moved down the validation of the protocol\nversion in l2tp_udp_encap_recv().\n\nThe new place requires an extra error handling to avoid the\nmemleak.\n\nLet's call l2tp_session_put() there.\n\n[0]:\nBUG: memory leak\nunreferenced object 0xffff88810a290200 (size 512):\n comm \"syz.0.17\", pid 6086, jiffies 4294944299\n hex dump (first 32 bytes):\n 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc babb6a4f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n __do_kmalloc_node mm/slub.c:5656 [inline]\n __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778\n pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755\n __sys_connect_file+0x7a/0xb0 net/socket.c:2089\n __sys_connect+0xde/0x110 net/socket.c:2108\n __do_sys_connect net/socket.c:2114 [inline]\n __se_sys_connect net/socket.c:2111 [inline]\n __x64_sys_connect+0x1c/0x30 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nl2tp: Solucionar fuga de memoria en l2tp_udp_encap_recv().\n\nsyzbot inform\u00f3 una fuga de memoria de struct l2tp_session, l2tp_tunnel, sock, etc. [0]\n\nEl commit citado movi\u00f3 hacia abajo la validaci\u00f3n de la versi\u00f3n del protocolo en l2tp_udp_encap_recv().\n\nEl nuevo lugar requiere un manejo de errores adicional para evitar la fuga de memoria.\n\nLlamemos a l2tp_session_put() all\u00ed.\n\n[0]:\nERROR: fuga de memoria\nobjeto sin referencia 0xffff88810a290200 (tama\u00f1o 512):\n comm 'syz.0.17', pid 6086, jiffies 4294944299\n volcado hexadecimal (primeros 32 bytes):\n 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n rastreo de pila (crc babb6a4f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n __do_kmalloc_node mm/slub.c:5656 [inline]\n __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778\n pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755\n __sys_connect_file+0x7a/0xb0 net/socket.c:2089\n __sys_connect+0xde/0x110 net/socket.c:2108\n __do_sys_connect net/socket.c:2114 [inline]\n __se_sys_connect net/socket.c:2111 [inline]\n __x64_sys_connect+0x1c/0x30 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"}], "id": "CVE-2026-23072", "lastModified": "2026-03-18T17:17:52.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:17.923", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4d10edfd1475b69dbd4c47f34b61a3772ece83ca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5cd158a88eef34e7b100cd9b963873d3b4e41b35"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: l2tp: Fix memleak in l2tp_udp_encap_recv()", "id": "2436814", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436814"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23072", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23072\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23072\nhttps://lore.kernel.org/linux-cve-announce/2026020418-CVE-2026-23072-916e@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:39:26.243844+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch, such as the latest 6.19 stable release or any later release that contains commit 4d10edfd\u2026 .", "Reboot the system to load the upgraded kernel.", "If your distribution does not yet offer the updated kernel, apply the upstream patch to the kernel source, rebuild, and install the modified kernel."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that contain the vulnerability, including the 6.19 series up to the latest kernel revision before the fix commit. The affected kernels are identified by CPE strings cpe:2.3:o:linux:linux_kernel:6.19:rc1, \u2026 rc6 and any other releases derived from these. In practice, any kernel version that has not incorporated the patch found in the 4d10edfd\u2026 commit is at risk. Vendors offering general Linux kernel packages should verify that their distribution has applied the same upstream change.", "description_and_impact": "l2tp_udp_encap_recv() contains a code path that fails to release allocated resources when the protocol version validation errors. This leads to a memory leak of kernel objects such as l2tp_session, l2tp_tunnel, and socket structures. The unreferenced memory accumulates as L2TP sessions are created, which can progressively consume kernel memory and eventually cause a denial of service. The weakness is classified as CWE\u2011401.", "risk_and_exploitability": "The CVSS v3.1 base score is 5.5, indicating moderate severity. EPSS shows an exploitation probability of less than 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. An attacker who can send L2TP UDP packets to the target machine could trigger the leak in multiple session creations. This requires network connectivity to the L2TP service and does not depend on user privileges; therefore, the attack vector is network\u2011based. Because resources are freed only on error, repeated exploitation can lead to kernel memory exhaustion."}}}}, "created": "2026-04-17T23:45:25.811304+00:00", "updated": "2026-04-17T23:45:25.811314+00:00", "vendors": []}