CVE-2026-23209
Use-After-Free Vulnerability in Linux Kernel macvlan Network Driver
Publication date: 2026-02-14
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 4.9 |
| linux | linux_kernel | 4.9 |
| linux | linux_kernel | 4.9 |
| linux | linux_kernel | 4.9 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.16 (inc) to 6.1.163 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.70 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.124 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.10 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.200 (exc) |
| linux | linux_kernel | From 4.9.1 (inc) to 5.10.250 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's macvlan network driver, specifically in the macvlan_common_newlink() function. It occurs when creating a new macvlan link in MACVLAN_MODE_SOURCE mode with the MACVLAN_MACADDR_ADD or MACVLAN_MACADDR_SET parameter, and the lower device already has a macvlan port. If the register_netdevice() call fails (for example, due to an invalid link name), an error path is taken where the net_device structure is freed while still being referenced by a source entry in the vlan_source_hash. This leads to a use-after-free condition when packets are sent on the macvlan port with a matching source MAC address, potentially causing the kernel to crash.
How can this vulnerability impact me? :
The vulnerability can cause the Linux kernel to crash due to a use-after-free error in the macvlan network driver. This can lead to denial of service (DoS) conditions on affected systems, disrupting network connectivity and potentially impacting system stability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the conditions that trigger the kernel crash. The following commands demonstrate the steps to reproduce the issue:
- ip link add p1 type veth peer p2
- ip link set address 00:00:00:00:00:20 dev p1
- ip link set up dev p1
- ip link set up dev p2
- ip link add mv0 link p2 type macvlan mode source
- ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
- ping -c1 -I p1 1.2.3.4
If these commands cause a kernel crash or errors related to macvlan, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed by ensuring that macvlan_flush_sources() is called whenever the error path 'goto destroy_macvlan_port;' is taken during macvlan link creation.
Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.
Until the update is applied, avoid creating macvlan links with MACVLAN_MODE_SOURCE mode combined with MACVLAN_MACADDR_ADD or MACVLAN_MACADDR_SET parameters on devices that already have a macvlan port, as this triggers the vulnerability.