Skip to main content

Linux CVE-2026-23322

| EUVDEUVD-2026-15274 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-668m-q5h4-jfjc
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15274
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipmi: Fix use-after-free and list corruption on sender error

The analysis from Breno:

When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly:

  1. intf->curr_msg is not cleared, so no new message is pulled
  2. newmsg still points to the message, causing sender() to be called

again with the same message

  1. If sender() fails again, deliver_err_response() is called with

the same recv_msg that was already queued for delivery

This causes list_add corruption ("list_add double add") because the recv_msg is added to the user_msgs list twice. Subsequently, the corrupted list leads to use-after-free when the memory is freed and reused, and eventually a NULL pointer dereference when accessing recv_msg->done.

The buggy sequence:

sender() fails -> deliver_err_response(recv_msg) // recv_msg queued for delivery -> goto restart // curr_msg not cleared! sender() fails again (same message!) -> deliver_err_response(recv_msg) // tries to queue same recv_msg -> LIST CORRUPTION

Fix this by freeing the message and setting it to NULL on a send error. Also, always free the newmsg on a send error, otherwise it will leak.

AnalysisAI

A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.

Technical ContextAI

The vulnerability exists in the Linux kernel's IPMI subsystem (ipmi_si driver or related IPMI message handling code), which implements the Intelligent Platform Management Interface protocol for low-level hardware management. The root cause is improper state cleanup in the smi_work() function when a sender error occurs. When sender() fails, the code calls deliver_err_response() to queue an error response but fails to clear the intf->curr_msg pointer or free the newmsg buffer. This causes the same message object to be reprocessed on the next loop iteration, leading to repeated deliver_err_response() calls with the same recv_msg structure. The recv_msg is added to the user_msgs linked list twice, corrupting the list structure (CWE-416: Use After Free, CWE-415: Double Free). The corrupted list subsequently causes memory access violations and crashes when the corrupted list node is dereferenced. The affected products are specified via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* for all affected Linux kernel versions.

RemediationAI

Apply the Linux kernel security updates containing the IPMI fix commits referenced at https://git.kernel.org/stable/c/c08ec55617cb9674a060a3392ea08391ab2a4f74, https://git.kernel.org/stable/c/65ff5d1e4410df05edfbeb7bf2d62f7681ce1d53, and https://git.kernel.org/stable/c/594c11d0e1d445f580898a2b8c850f2e3f099368. Systems administrators should update the Linux kernel to a patched version immediately via their distribution's package manager (apt update && apt upgrade, yum update, or equivalent). For systems where immediate kernel patching is not feasible, restrict IPMI interface access to trusted administrators and disable IPMI services if not required for system management. Monitor kernel logs for list corruption warnings and NULL pointer dereference panics, which indicate exploitation or triggering of the vulnerability. Implement access controls on IPMI interfaces and audit IPMI activity for unusual error patterns that might indicate exploitation attempts.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy