{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23454", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.020Z", "datePublished": "2026-04-03T15:15:36.189Z", "dateUpdated": "2026-05-11T22:07:18.149Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:18.149Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown\n\nA potential race condition exists in mana_hwc_destroy_channel() where\nhwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and\nEvent Queue (EQ) are destroyed. This allows an in-flight CQ interrupt\nhandler to dereference freed memory, leading to a use-after-free or\nNULL pointer dereference in mana_hwc_handle_resp().\n\nmana_smc_teardown_hwc() signals the hardware to stop but does not\nsynchronize against IRQ handlers already executing on other CPUs. The\nIRQ synchronization only happens in mana_hwc_destroy_cq() via\nmana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs\nafter kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()\ncan dereference freed caller_ctx (and rxq->msg_buf) in\nmana_hwc_handle_resp().\n\nFix this by reordering teardown to reverse-of-creation order: destroy\nthe TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This\nensures all in-flight interrupt handlers complete before the memory they\naccess is freed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/microsoft/mana/hw_channel.c"], "versions": [{"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "b88edf12fc3779521ae5f6f1584153b15f7da6df", "status": "affected", "versionType": "git"}, {"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "e23bf444512cb85d76012080a76cd1f9e967448e", "status": "affected", "versionType": "git"}, {"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "249e905571583a434d4ea8d6f92ccc0eef337115", "status": "affected", "versionType": "git"}, {"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "2b001901f689021acd7bf2dceed74a1bdcaaa1f9", "status": "affected", "versionType": "git"}, {"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "afdb1533eb9c05432aeb793a7280fa827c502f5c", "status": "affected", "versionType": "git"}, {"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "05d345719d85b927cba74afac4d5322de3aa4256", "status": "affected", "versionType": "git"}, {"version": "ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f", "lessThan": "fa103fc8f56954a60699a29215cb713448a39e87", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/microsoft/mana/hw_channel.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6df"}, {"url": "https://git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448e"}, {"url": "https://git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115"}, {"url": "https://git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9"}, {"url": "https://git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5c"}, {"url": "https://git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256"}, {"url": "https://git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87"}], "title": "net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown\n\nA potential race condition exists in mana_hwc_destroy_channel() where\nhwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and\nEvent Queue (EQ) are destroyed. This allows an in-flight CQ interrupt\nhandler to dereference freed memory, leading to a use-after-free or\nNULL pointer dereference in mana_hwc_handle_resp().\n\nmana_smc_teardown_hwc() signals the hardware to stop but does not\nsynchronize against IRQ handlers already executing on other CPUs. The\nIRQ synchronization only happens in mana_hwc_destroy_cq() via\nmana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs\nafter kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()\ncan dereference freed caller_ctx (and rxq->msg_buf) in\nmana_hwc_handle_resp().\n\nFix this by reordering teardown to reverse-of-creation order: destroy\nthe TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This\nensures all in-flight interrupt handlers complete before the memory they\naccess is freed."}], "id": "CVE-2026-23454", "lastModified": "2026-04-18T09:16:27.837", "metrics": {}, "published": "2026-04-03T16:16:31.947", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6df"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown", "id": "2454805", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454805"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's mana network driver. A race condition during the destruction of a hardware completion queue (HWC) channel can lead to memory being freed while still in use. This use-after-free vulnerability allows an in-flight interrupt handler to dereference freed memory. This could potentially result in a system crash, leading to a Denial of Service (DoS), or in more severe cases, arbitrary code execution."], "name": "CVE-2026-23454", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23454\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23454\nhttps://lore.kernel.org/linux-cve-announce/2026040317-CVE-2026-23454-a999@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,e23bf444512cb85d76012080a76cd1f9e967448e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,249e905571583a434d4ea8d6f92ccc0eef337115)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,2b001901f689021acd7bf2dceed74a1bdcaaa1f9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,afdb1533eb9c05432aeb793a7280fa827c502f5c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,05d345719d85b927cba74afac4d5322de3aa4256)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,fa103fc8f56954a60699a29215cb713448a39e87)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-04T04:09:42.549582+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the commit fixing the mana HWC teardown order.", "If a full kernel update is not immediately possible, apply the patch from the kernel repository to the affected driver and reboot to load the patched code.", "Confirm the kernel version or patch status after updating to verify the vulnerability has been mitigated."], "summary": {"action": "Patch Required", "impact": "Kernel memory corruption due to use\u2011after\u2011free"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that include the mana wireless HWC driver and have not applied the commit that reorders teardown are affected. The vulnerability applies to any system on which this driver is loaded, with no specific distribution or kernel version enumerated.", "description_and_impact": "A race condition in the Linux kernel\u2019s HWC mana subsystem allows an in\u2011flight CQ interrupt handler to access freed memory. The bug causes a use\u2011after\u2011free or NULL pointer dereference in mana_hwc_handle_resp(), potentially corrupting kernel data structures.", "risk_and_exploitability": "The CVSS score of 7.0 indicates moderate severity. Exploitation requires a local attacker who can trigger the race condition by interacting with the HWC subsystem. The EPSS score is not available and the CVE is not listed in the KISA KEV catalog. The lack of a documented public exploit does not mitigate the inherent kernel memory corruption risk; it is inferred that a local attack vector would be required to exercise the vulnerability."}}}}, "created": "2026-04-03T21:13:44.193313+00:00", "updated": "2026-04-07T07:17:25.051478+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}