CVE-2026-23454
Received Received - Intake
Use-After-Free in Linux Kernel mana Network Driver Causes Crash

Publication date: 2026-04-03

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23454
EUVD
EUVD-2026-18708
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's mana network driver, specifically in the function mana_hwc_destroy_channel().

A race condition occurs because the caller context (caller_ctx) is freed before the Completion Queue (CQ) and Event Queue (EQ) are destroyed. This means that an interrupt handler running concurrently can try to access memory that has already been freed, leading to a use-after-free or NULL pointer dereference.

The fix involves reordering the teardown process to destroy the TX/RX work queues and CQ/EQ before freeing the caller context, ensuring that all interrupt handlers complete before the memory they access is freed.


How can this vulnerability impact me? :

This vulnerability can lead to system instability or crashes due to use-after-free or NULL pointer dereferences in the network driver.

An attacker or a malicious process might exploit this race condition to cause denial of service by triggering kernel crashes or potentially execute arbitrary code if they can control the freed memory.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by reordering the teardown process in the Linux kernel's mana driver to ensure that all in-flight interrupt handlers complete before the memory they access is freed.

Immediate mitigation steps include updating the Linux kernel to a version where this fix is applied, which ensures that the TX/RX work queues and Completion/Event Queues are destroyed before freeing the caller context memory.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart