Skip to main content

Linux CVE-2026-23454

| EUVDEUVD-2026-18708 HIGH
Use After Free (CWE-416)
2026-04-03 Linux GHSA-v535-7p5c-7xm9
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
6.4 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
May 26, 2026 - 14:52 vuln.today
cvss_changed
CVSS changed
May 26, 2026 - 14:52 NVD
7.0 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
249e905571583a434d4ea8d6f92ccc0eef337115,05d345719d85b927cba74afac4d5322de3aa4256,2b001901f689021acd7bf2dceed74a1bdcaaa1f9
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18708
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown

A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp().

mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp().

Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.

AnalysisAI

Use-after-free in Linux kernel MANA hardware channel teardown (net/mana driver) allows concurrent interrupt handlers to dereference freed memory in mana_hwc_destroy_channel(), potentially causing NULL pointer dereference or memory corruption. The vulnerability stems from improper teardown ordering where hwc->caller_ctx is freed before CQ/EQ IRQ handlers are fully synchronized, affecting all Linux kernel versions with the MANA driver. Fixes are available across stable kernel branches via upstream commit reordering.

Technical ContextAI

The MANA (Microsoft Azure Network Adapter) driver in the Linux kernel manages hardware communication channels (HWC) through completion queues (CQ) and event queues (EQ) with associated interrupt handlers. The root cause is a synchronization ordering violation (CWE-415: Double Free or analogous race condition) in mana_hwc_destroy_channel(): the function calls mana_smc_teardown_hwc() to signal hardware stop, then immediately frees hwc->caller_ctx via kfree(), but does not synchronize against in-flight CQ interrupt handlers (mana_hwc_rx_event_handler()) executing on other CPUs. The IRQ synchronization that prevents further interrupts only occurs later in mana_hwc_destroy_cq() via the mana_gd_destroy_eq() -> mana_gd_deregister_irq() call chain. This creates a race window where a pending interrupt handler can call mana_hwc_handle_resp() and dereference the already-freed caller_ctx or rxq->msg_buf pointers. The fix reorders teardown to reverse-of-creation order (destroy queues/IRQ handlers before freeing memory), ensuring all interrupt handlers have completed before memory is deallocated.

RemediationAI

Apply the upstream fix by updating to a patched kernel version released after the commits in the stable branches. Vendor-released patches are available across stable kernel branches via commits e23bf444512cb85d76012080a76cd1f9e967448e, 249e905571583a434d4ea8d6f92ccc0eef337115, 2b001901f689021acd7bf2dceed74a1bdcaaa1f9, afdb1533eb9c05432aeb793a7280fa827c502f5c, 05d345719d85b927cba74afac4d5322de3aa4256, and fa103fc8f56954a60699a29215cb713448a39e87 (referenced at https://git.kernel.org/stable/). These commits reverse the teardown order in mana_hwc_destroy_channel() to synchronize IRQ handlers before memory deallocation. No workaround is available for running vulnerable kernels; kernel upgrade is required. For Azure VMs, request latest kernel updates from your distribution (Ubuntu, Red Hat, etc.) targeting the patched stable branch series.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Image SLES-Azure-Basic Image SLES-EC2 Image SLES-Hardened-BYOS-Azure Image SLES-SAPCAL-Azure Affected
SUSE Linux Micro 6.2 Fixed
openSUSE Leap 16.0 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Live Patching 15 SP7 Affected

Share

CVE-2026-23454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy