Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local netlink caller (AV:L, PR:L); AC:H because the double-free only fires when genlmsg_reply() is forced to fail (full rcvbuf), and kernel memory corruption yields C/I/A:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
netdev: fix double-free in netdev_nl_bind_rx_doit()
Sashiko flags that genlmsg_reply() always consumes the skb. The error path calls nlmsg_free(rsp) so we can't jump directly to it. Let's not unbind, just propagate the error to the user. This is the typical way of handling genlmsg_reply() failures. They shouldn't happen unless user does something silly like calling the kernel with an already-full rcvbuf.
AnalysisAI
Local memory corruption (double-free) in the Linux kernel netdev generic-netlink interface affects the device-memory RX binding path (netdev_nl_bind_rx_doit) in kernels 7.1-rc1 through 7.1-rc7 and backport-affected stable branches. Because genlmsg_reply() unconditionally consumes the reply skb, the buggy error path then calls nlmsg_free() on that same buffer, freeing it a second time; a local user able to reach the BIND_RX netlink command and force a reply failure can trigger the flaw. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a vulnerable kernel and the ability to invoke the netdev generic-netlink family's BIND_RX command (netdev_nl_bind_rx_doit), i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a genuine but low-priority local memory-safety bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with access to the netdev generic-netlink family issues a BIND_RX request and deliberately drives the netlink socket into a state where the reply cannot be delivered (for example an already-full receive buffer), causing genlmsg_reply() to fail and the error path to free the reply skb a second time. The resulting double-free corrupts kernel slab state, which a skilled attacker could attempt to shape toward a use-after-free and local privilege escalation. … |
| Remediation | Vendor-released patch: update to a fixed Linux kernel build - 7.0.13, 6.12.94, 6.18.36, or 7.1 (or later) depending on your branch - via the stable-tree commits at https://git.kernel.org/stable/c/9b019376cbee10c4f9184d1745fa37d156e36f30 and the companion commits (c299321bc6232770ce378d6fa6bc46004d2d7fdb, c849de7d8757a7af801fc4a4058f71d481d367f2, e055ca9205d3eb6aec3e5fe4ecc18abbbf18c599); consume the fix through your distribution's kernel update channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan inventory for systems running Linux kernel 7.1-rc1 through 7.1-rc7 and affected stable branches. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39324
GHSA-wr67-pp59-29qp