CVE-2026-23322
Received Received - Intake
Use-After-Free and List Corruption in Linux IPMI on Sender Error

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix use-after-free and list corruption on sender error The analysis from Breno: When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly: 1. intf->curr_msg is not cleared, so no new message is pulled 2. newmsg still points to the message, causing sender() to be called again with the same message 3. If sender() fails again, deliver_err_response() is called with the same recv_msg that was already queued for delivery This causes list_add corruption ("list_add double add") because the recv_msg is added to the user_msgs list twice. Subsequently, the corrupted list leads to use-after-free when the memory is freed and reused, and eventually a NULL pointer dereference when accessing recv_msg->done. The buggy sequence: sender() fails -> deliver_err_response(recv_msg) // recv_msg queued for delivery -> goto restart // curr_msg not cleared! sender() fails again (same message!) -> deliver_err_response(recv_msg) // tries to queue same recv_msg -> LIST CORRUPTION Fix this by freeing the message and setting it to NULL on a send error. Also, always free the newmsg on a send error, otherwise it will leak.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-05-09
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-08
NVD
CVE-2026-23322
EUVD
EUVD-2026-15274
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel From 6.18.1 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's IPMI implementation. When the SMI sender returns an error, the function smi_work() attempts to deliver an error response but fails to properly clean up before restarting. Specifically, the current message pointer (curr_msg) is not cleared, causing the same message to be processed repeatedly.

This leads to the same receive message (recv_msg) being added twice to a list (user_msgs), causing list corruption known as a "list_add double add." This corrupted list eventually results in a use-after-free condition when the memory is freed and reused, and can also cause a NULL pointer dereference when accessing recv_msg->done.

The fix involves freeing the message and setting it to NULL on a send error, and always freeing the new message on a send error to prevent memory leaks.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption issues such as use-after-free and NULL pointer dereferences within the Linux kernel's IPMI subsystem.

Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that the message is freed and set to NULL on a send error, and by always freeing the new message on a send error to prevent leaks.

Therefore, the immediate mitigation step is to update the Linux kernel to a version where this fix has been applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart