Skip to main content

Linux EUVDEUVD-2026-12886

| CVE-2026-23255 MEDIUM
2026-03-18 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 21, 2026 - 00:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 18:00 euvd
EUVD-2026-12886
Analysis Generated
Mar 18, 2026 - 18:00 vuln.today
CVE Published
Mar 18, 2026 - 17:41 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: add proper RCU protection to /proc/net/ptype

Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch.

Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules.

ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier.

At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period.

Define ptype_iter_state to carry a dev pointer along seq_net_private:

struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch };

We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes.

We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values)

Many thanks to Dong Chenchen for providing a repro.

AnalysisAI

A race condition vulnerability exists in the Linux kernel's /proc/net/ptype implementation where concurrent readers and writers violate RCU (Read-Copy-Update) synchronization rules, allowing information disclosure through unsafe access to device pointers. The vulnerability affects all Linux kernel versions with the vulnerable ptype_seq_show() and ptype_seq_next() functions. An attacker with local access can trigger RCU stalls, kernel panics, or read uninitialized kernel memory by racing concurrent packet type structure modifications against /proc/net/ptype reads, potentially leaking sensitive kernel data or causing denial of service.

Technical ContextAI

The vulnerability exists in the Linux kernel's packet type handling subsystem, specifically in the /proc/net/ptype procfs interface that enumerates registered packet handlers. The root cause is an RCU synchronization violation where ptype_seq_show() and ptype_seq_next() read the pt->dev field of packet_type structures while holding only rcu_read_lock(), but concurrent writers can remove and free these structures or clear pt->dev without proper RCU grace periods. The fix introduces a ptype_iter_state structure to carry device pointer references safely, adds READ_ONCE() barriers to prevent compiler optimizations that mask the race, and ensures full RCU protection throughout the iteration sequence. This affects the Linux kernel network stack (CPE 2.3:a:linux:linux) across all versions prior to the patch commit hashes provided (589a530ae44d0c80f523fcfd1a15af8087f27d35 and f613e8b4afea0cd17c7168e8b00e25bc8d33175d).

RemediationAI

Update the Linux kernel to a version that includes the fix commits 589a530ae44d0c80f523fcfd1a15af8087f27d35 (for one kernel branch) and f613e8b4afea0cd17c7168e8b00e25bc8d33175d (for parallel stable branches). Check with your Linux distribution for kernel updates incorporating these fixes; most enterprise distributions will backport these commits to their supported kernel versions. For systems unable to immediately patch, restrict access to /proc/net/ptype by adjusting procfs permissions via mount options (proc_mount with hidepid parameter) or by using security modules like AppArmor/SELinux to deny unprivileged reads to /proc/net/. These workarounds reduce but do not eliminate risk. The primary remediation remains kernel update via your distribution's standard patch mechanisms; see https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35 and https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d for upstream patch details.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky fixed 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.18.10-1 -

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.127 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.114 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.144 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.116 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.161 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.107 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected

Share

EUVD-2026-12886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy