Skip to main content

Linux EUVDEUVD-2026-15225

| CVE-2026-23294 HIGH
Race Condition (CWE-362)
2026-03-25 Linux GHSA-4h26-3w83-pfh6
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15225
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
HIGH 7.0

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix race in devmap on PREEMPT_RT

On PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU.

The original code assumes bq_enqueue() and __dev_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_xmit_all(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently.

This leads to several races:

  1. Double-free / use-after-free on bq->q[]: bq_xmit_all() snapshots

cnt = bq->count, then iterates bq->q[0..cnt-1] to transmit frames. If preempted after the snapshot, a second task can call bq_enqueue() -> bq_xmit_all() on the same bq, transmitting (and freeing) the same frames. When the first task resumes, it operates on stale pointers in bq->q[], causing use-after-free.

  1. bq->count and bq->q[] corruption: concurrent bq_enqueue() modifying

bq->count and bq->q[] while bq_xmit_all() is reading them.

  1. dev_rx/xdp_prog teardown race: __dev_flush() clears bq->dev_rx and

bq->xdp_prog after bq_xmit_all(). If preempted between bq_xmit_all() return and bq->dev_rx = NULL, a preempting bq_enqueue() sees dev_rx still set (non-NULL), skips adding bq to the flush_list, and enqueues a frame. When __dev_flush() resumes, it clears dev_rx and removes bq from the flush_list, orphaning the newly enqueued frame.

  1. __list_del_clearprev() on flush_node: similar to the cpumap race,

both tasks can call __list_del_clearprev() on the same flush_node, the second dereferences the prev pointer already set to NULL.

The race between task A (__dev_flush -> bq_xmit_all) and task B (bq_enqueue -> bq_xmit_all) on the same CPU:

Task A (xdp_do_flush) Task B (ndo_xdp_xmit redirect) ---------------------- -------------------------------- __dev_flush(flush_list) bq_xmit_all(bq) cnt = bq->count /* e.g. 16 */ /* start iterating bq->q[] */ <-- CFS preempts Task A --> bq_enqueue(dev, xdpf) bq->count == DEV_MAP_BULK_SIZE bq_xmit_all(bq, 0) cnt = bq->count /* same 16! */ ndo_xdp_xmit(bq->q[]) /* frames freed by driver */ bq->count = 0 <-- Task A resumes --> ndo_xdp_xmit(bq->q[]) /* use-after-free: frames already freed! */

Fix this by adding a local_lock_t to xdp_dev_bulk_queue and acquiring it in bq_enqueue() and __dev_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.

AnalysisAI

This vulnerability is a race condition in the Linux kernel's BPF devmap subsystem that occurs on PREEMPT_RT kernels, where per-CPU bulk queue structures can be accessed concurrently by multiple preemptible tasks on the same CPU. An attacker or unprivileged local process can trigger use-after-free, double-free, or memory corruption conditions by crafting specific XDP (eXpress Data Path) redirect operations that cause concurrent access to shared queue structures, potentially leading to kernel crashes, information disclosure, or privilege escalation. The vulnerability affects all Linux kernel versions with the vulnerable devmap code path and has been patched upstream, though CVSS and EPSS scores are not yet assigned and no public exploit or KEV status is currently documented.

Technical ContextAI

The vulnerability resides in the Linux kernel's BPF subsystem, specifically in the devmap (device map) implementation used for XDP packet redirection. The affected code is in the per-CPU bulk queue (xdp_dev_bulk_queue) which manages batched XDP frame transmission. On PREEMPT_RT kernels, local_bh_disable() (softirq disable) does not prevent preemption; it only calls migrate_disable() when PREEMPT_RT_NEEDS_BH_LOCK is not set. This breaks the original atomicity assumption that bq_enqueue() and __dev_flush() would run atomically with respect to each other on the same CPU. The root cause falls under CWE-362 (Concurrent Access to Shared Resource with Inadequate Synchronization) and manifests as four distinct race conditions: double-free/use-after-free on the frame queue array (bq->q[]), corruption of queue metadata (bq->count), teardown races where device_rx and xdp_prog are cleared mid-operation, and unsafe list deletion on flush_node structures. The CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* indicates all Linux kernel versions are potentially affected until patched.

RemediationAI

Apply the upstream Linux kernel patch immediately, which fixes the race condition by adding a local_lock_t to the xdp_dev_bulk_queue structure and using local_lock_nested_bh() to serialize access in bq_enqueue() and __dev_flush(). Merge the patches from commits 6c10b019785dc282c5f45d21e4a3f468b8fd6476, ab1a56c9d99189aa5c6e03940d06e40ba6a28240, and 1872e75375c40add4a35990de3be77b5741c252c (available at https://git.kernel.org/stable/) into your kernel tree. For distribution kernels (Red Hat, Ubuntu, Debian, etc.), update to the latest stable kernel release that includes these patches. If immediate patching is not possible, disable unprivileged BPF loading via sysctl kernel.unprivileged_bpf_disabled=1 and restrict XDP usage to trusted administrators. For real-time systems that cannot rapidly patch, consider restricting BPF program loading and XDP redirect operations to essential workloads only.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy