CVE-2026-23326
Received Received - Intake
Buffer Leak in Linux Kernel xsk Due to List Handling Error

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free list, this causes a buffer leak as described below. xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list. Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23326
EUVD
EUVD-2026-15279
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.13
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13.1 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xsk (XDP socket) subsystem. After a specific code change, the same list_node field was reused for two different lists: the xskb pool list and the buffer free list. When a buffer node is removed from the xskb pool list using list_del(), the node pointers are not reinitialized. As a result, a check that determines if the buffer is already on the free list (using list_empty()) incorrectly returns false, causing the buffer to be skipped and not added to the free list. This leads to a buffer leak.

The fix involved replacing list_del() with list_del_init() in all fragment handling paths. This change ensures that the list node is properly reinitialized after removal, allowing the list_empty() check to work correctly and preventing the buffer leak.

Impact Analysis

This vulnerability can cause a buffer leak in the Linux kernel's xsk subsystem. Buffer leaks can lead to increased memory usage over time, potentially exhausting system resources. This may degrade system performance, cause instability, or in extreme cases, lead to denial of service if the system runs out of memory.

Mitigation Strategies

The vulnerability is fixed by ensuring that the Linux kernel uses list_del_init() instead of list_del() in all fragment handling paths to properly reinitialize list nodes and prevent buffer leaks.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix (after commit b692bf9a7543).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23326. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart