CVE-2026-23255
Received Received - Intake
RCU Violation in Linux Kernel net/proc_net/ptype Causes Data Race

Publication date: 2026-03-18

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23255
EUVD
EUVD-2026-12886
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network code related to the /proc/net/ptype interface. The issue is that certain functions, specifically ptype_seq_next() and ptype_seq_show(), violate Read-Copy-Update (RCU) rules. The ptype_seq_show() function reads a device pointer (pt->dev) under an RCU read lock without proper synchronization barriers, while concurrent writers can remove and modify the packet_type structure and its device pointer without respecting RCU grace periods. This can lead to unsafe concurrent access and potential data races.

The fix involves adding proper RCU protection by recording the device pointer safely during iteration and adding missing synchronization primitives like READ_ONCE() when accessing linked list pointers. This ensures that ptype_seq_show() is safe against concurrent changes to the device pointer.


How can this vulnerability impact me? :

This vulnerability can lead to unsafe concurrent access to kernel data structures, potentially causing kernel crashes, data corruption, or undefined behavior. Since it involves improper synchronization in the kernel's network subsystem, exploitation could destabilize the system or lead to denial of service conditions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart