CVE-2026-23255

ADVISORY - nist

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: add proper RCU protection to /proc/net/ptype

Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch.

Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules.

ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier.

At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period.

Define ptype_iter_state to carry a dev pointer along seq_net_private:

struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch };

We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes.

We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values)

Many thanks to Dong Chenchen for providing a repro.

EPSS Score: 0.00114 (0.017)

Common Weakness Enumeration (CWE)

ADVISORY - nist
ADVISORY - redhat

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in