CVE-2026-23255
Modified Modified - Updated After Analysis
RCU Violation in Linux Kernel net/proc_net/ptype Causes Data Race

Publication date: 2026-03-18

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23255
EUVD
EUVD-2026-12886
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.10 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network code related to the /proc/net/ptype interface. The issue is that certain functions, specifically ptype_seq_next() and ptype_seq_show(), violate Read-Copy-Update (RCU) rules. The ptype_seq_show() function reads a device pointer (pt->dev) under an RCU read lock without proper synchronization barriers, while concurrent writers can remove and modify the packet_type structure and its device pointer without respecting RCU grace periods. This can lead to unsafe concurrent access and potential data races.

The fix involves adding proper RCU protection by recording the device pointer safely during iteration and adding missing synchronization primitives like READ_ONCE() when accessing linked list pointers. This ensures that ptype_seq_show() is safe against concurrent changes to the device pointer.

Impact Analysis

This vulnerability can lead to unsafe concurrent access to kernel data structures, potentially causing kernel crashes, data corruption, or undefined behavior. Since it involves improper synchronization in the kernel's network subsystem, exploitation could destabilize the system or lead to denial of service conditions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart