CVE-2026-23013
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-01-25

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-25
Last Modified
2026-04-03
Generated
2026-05-09
AI Q&A
2026-01-25
EPSS Evaluated
2026-05-07
NVD
CVE-2026-23013
EUVD
EUVD-2026-4616
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.9
linux linux_kernel From 6.13 (inc) to 6.18.7 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.9.1 (inc) to 6.12.67 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's octeon_ep_vf driver where an error in handling IRQ (interrupt request) rollback leads to a mismatch in the device identifier (dev_id) used when freeing IRQs. Specifically, when request_irq() fails part-way, free_irq() is called with a different dev_id than originally used, which can leave IRQ handlers registered incorrectly. This can cause use-after-free errors or crashes when interrupts fire later.


How can this vulnerability impact me? :

The impact of this vulnerability is that it can cause use-after-free conditions or crashes in the Linux kernel when interrupts occur. This can lead to system instability, potential denial of service, or unpredictable behavior due to improper IRQ handler cleanup.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the free_irq dev_id mismatch in the Linux kernel's octeon_ep_vf driver. To mitigate this vulnerability, update your Linux kernel to a version that includes the fix for this issue, as described in the patch that ensures free_irq is called with the correct dev_id matching the original request_irq call.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart