CVE-2026-23104
Use-After-Free Vulnerability in Linux Kernel ice Driver hwmon Component
Publication date: 2026-02-04
Last updated on: 2026-03-25
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.8 (inc) to 6.18.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ice driver related to the handling of the internal temperature sensor via HWMON. A recent change introduced the reading of this sensor and added initialization and cleanup functions for it. However, when the device is reinitialized using devlink reload and then the driver is removed, a call trace (error) occurs due to orphaned hardware monitoring sysfs attributes referencing freed module memory. This happens because the cleanup function was not called properly during devlink reload, leaving dangling pointers that cause repeated errors when system monitoring tools try to access them.
How can this vulnerability impact me? :
The vulnerability can cause repeated kernel call traces (errors) approximately every 10 minutes when system monitoring tools attempt to read hardware monitoring attributes that reference freed memory. This can lead to system instability or crashes due to page faults, potentially affecting system reliability and monitoring accuracy.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing repeated call traces approximately every 10 minutes in the system logs. These call traces occur when system monitoring tools attempt to read orphaned hwmon sysfs attributes referencing freed module memory.
Specifically, the call trace includes messages such as "BUG: unable to handle page fault for address" followed by a stack trace involving functions like vsnprintf, sprintf, name_show, and dev_attr_show.
To detect this on your system, you can monitor the kernel log for these call traces using commands like:
- dmesg | grep -i 'BUG: unable to handle page fault'
- journalctl -k | grep -i 'BUG: unable to handle page fault'
- watch -n 600 'dmesg | tail -n 20'
Additionally, monitoring system tools like sadc that read hwmon sysfs attributes may trigger these call traces, so checking logs around their execution times can help identify the issue.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by improper cleanup of hwmon instances during devlink reload and driver removal, leading to dangling pointers and call traces.
Immediate mitigation involves ensuring that the Linux kernel version in use includes the fix that moves ice_hwmon_exit() from ice_remove() to ice_deinit_features(), which properly cleans up the hwmon instances.
Therefore, the recommended immediate step is to update your Linux kernel to a version that contains this fix.
As a temporary workaround, avoid using devlink reload commands that reinitialize the device and then remove the driver until the fix is applied.