CVE-2026-23454
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel mana Network Driver Causes Crash

Publication date: 2026-04-03

Last updated on: 2026-05-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23454
EUVD
EUVD-2026-18708
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 5.13 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Linux kernel's mana network driver, specifically in the function mana_hwc_destroy_channel().

A race condition occurs because the caller context (caller_ctx) is freed before the Completion Queue (CQ) and Event Queue (EQ) are destroyed. This means that an interrupt handler running concurrently can try to access memory that has already been freed, leading to a use-after-free or NULL pointer dereference.

The fix involves reordering the teardown process to destroy the TX/RX work queues and CQ/EQ before freeing the caller context, ensuring that all interrupt handlers complete before the memory they access is freed.

Impact Analysis

This vulnerability can lead to system instability or crashes due to use-after-free or NULL pointer dereferences in the network driver.

An attacker or a malicious process might exploit this race condition to cause denial of service by triggering kernel crashes or potentially execute arbitrary code if they can control the freed memory.

Mitigation Strategies

The vulnerability is fixed by reordering the teardown process in the Linux kernel's mana driver to ensure that all in-flight interrupt handlers complete before the memory they access is freed.

Immediate mitigation steps include updating the Linux kernel to a version where this fix is applied, which ensures that the TX/RX work queues and Completion/Event Queues are destroyed before freeing the caller context memory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart