Skip to main content

Linux CVE-2026-23322

| EUVD-2026-15274 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-668m-q5h4-jfjc
Denial Of Service Linux Use After Free Memory Corruption
7.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15274
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipmi: Fix use-after-free and list corruption on sender error

The analysis from Breno:

When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly:

  1. intf->curr_msg is not cleared, so no new message is pulled
  2. newmsg still points to the message, causing sender() to be called

again with the same message

  1. If sender() fails again, deliver_err_response() is called with

the same recv_msg that was already queued for delivery

This causes list_add corruption ("list_add double add") because the recv_msg is added to the user_msgs list twice. Subsequently, the corrupted list leads to use-after-free when the memory is freed and reused, and eventually a NULL pointer dereference when accessing recv_msg->done.

The buggy sequence:

sender() fails -> deliver_err_response(recv_msg) // recv_msg queued for delivery -> goto restart // curr_msg not cleared! sender() fails again (same message!) -> deliver_err_response(recv_msg) // tries to queue same recv_msg -> LIST CORRUPTION

Fix this by freeing the message and setting it to NULL on a send error. Also, always free the newmsg on a send error, otherwise it will leak.

AnalysisAI

A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
CVE-2026-47337 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
CVE-2026-45844
May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

Share

CVE-2026-23322 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy