{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23326", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:19.021Z", "dateUpdated": "2026-05-11T22:04:42.016Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:42.016Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/xdp/xsk.c"], "versions": [{"version": "560c974b7ccd95bb9ff20df77f6654283e45c9c6", "lessThan": "5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d", "status": "affected", "versionType": "git"}, {"version": "fd5614763805d6f386bd07cc53558f88b1b1eb62", "lessThan": "2a9ea988465ece5b6896b1bdc144170a64e84c35", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "645c6d8376ad4913cbffe0e0c2cca0c4febbe596", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "b38cbd4af5034635cff109e08788c63f956f3a69", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "60abb0ac11dccd6b98fd9182bc5f85b621688861", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/xdp/xsk.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d"}, {"url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35"}, {"url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596"}, {"url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69"}, {"url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861"}], "title": "xsk: Fix fragment node deletion to prevent buffer leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "40E7536C-DA22-4B7D-9953-0343B4D9A3E6", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nxsk: Corrige la eliminaci\u00f3n de nodos de fragmento para prevenir una fuga de b\u00fafer\n\nDespu\u00e9s del commit b692bf9a7543 ('xsk: Elimina xdp_buff_xsk::xskb_list_node'), el campo list_node se reutiliza tanto para la lista de la piscina xskb como para la lista de b\u00faferes libres, esto causa una fuga de b\u00fafer como se describe a continuaci\u00f3n.\n\nxp_free() comprueba si un b\u00fafer ya est\u00e1 en la lista de libres usando list_empty(&xskb->list_node). Cuando se usa list_del() para eliminar un nodo de la lista de la piscina xskb, no reinicializa los punteros del nodo. Esto significa que list_empty() devolver\u00e1 falso incluso despu\u00e9s de que el nodo haya sido eliminado, causando que xp_free() omita incorrectamente a\u00f1adir el b\u00fafer a la lista de libres.\n\nSoluciona esto usando list_del_init() en lugar de list_del() en todas las rutas de manejo de fragmentos, esto asegura que el nodo de la lista se reinicialice despu\u00e9s de la eliminaci\u00f3n, permitiendo que list_empty() funcione correctamente."}], "id": "CVE-2026-23326", "lastModified": "2026-04-23T21:11:17.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:29.687", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: xsk: Fix fragment node deletion to prevent buffer leak", "id": "2451215", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451215"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel. An issue in the eXpress Data Path (XDP) socket (xsk) component, specifically during fragment node deletion, can lead to a buffer leak. This occurs because a list node is not properly reinitialized after removal, causing the system to incorrectly manage memory. This could potentially lead to system instability or a denial of service."], "name": "CVE-2026-23326", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23326\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23326\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23326-ffc6@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[560c974b7ccd95bb9ff20df77f6654283e45c9c6,5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[fd5614763805d6f386bd07cc53558f88b1b1eb62,2a9ea988465ece5b6896b1bdc144170a64e84c35)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b692bf9a7543af7ad11a59d182a3757578f0ba53,645c6d8376ad4913cbffe0e0c2cca0c4febbe596)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b692bf9a7543af7ad11a59d182a3757578f0ba53,b38cbd4af5034635cff109e08788c63f956f3a69)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b692bf9a7543af7ad11a59d182a3757578f0ba53,60abb0ac11dccd6b98fd9182bc5f85b621688861)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T22:07:56.938691+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that contains commit b692bf9a7543 or any newer version that uses list_del_init for XDP fragment handling.", "Monitor system memory usage and kernel logs for signs of the xsk buffer leak, and consider applying temporary tuning or restricting XDP traffic until the patch can be deployed.", "Consider disabling or reconfiguring XDP sockets on interfaces that do not need high\u2011speed packet processing to reduce the attack surface until the vulnerability is fully mitigated."], "summary": {"action": "Apply Patch", "impact": "Buffer Leak Leading to Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernel releases that include the flawed xsk fragment handling logic prior to the commit that replaces list_del() with list_del_init(). Users of any distribution\u2019s kernel that has not been updated to include this patch are vulnerable. The issue applies to kernel components associated with network packet handling and XDP socket (xsk) buffers. No specific vendor version numbers are listed; any kernel version lacking the patch is susceptible.", "description_and_impact": "The vulnerability exposes a buffer leak in the Linux kernel\u2019s eXpress Data Path (XDP) socket (xsk) fragment handling. A node removed from the packet buffer pool list was not re\u2011initialized, causing the free\u2011list test to fail and preventing the buffer from being added back to the pool. This results in incrementally increasing memory usage as buffers are leaked. The weakness is a classic buffer leak, classified as CWE\u2011909, and the CNA also records it as CWE\u2011787 due to improper list node reuse. It can lead to degraded system performance or denial of service if the leak is exploited extensively.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high impact. The EPSS score of less than 1% suggests a low probability of exploitation. This flaw is not listed in the CISA KEV catalog. While the description does not specify an explicit attack vector, the nature of the bug implies that an attacker would need to trigger the XDP fragment handling path\u2014likely by sending a large number or specially crafted packets to a network interface configured for xsk. This inference points to a local or network\u2011based denial of service risk rather than remote code execution."}}}}, "created": "2026-03-25T21:27:35.030841+00:00", "updated": "2026-04-28T22:15:41.367491+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}