Skip to main content

Linux EUVDEUVD-2026-15256

| CVE-2026-23313 MEDIUM
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15256
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix preempt count leak in napi poll tracepoint

Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it:

softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101?

This clearly has seen a lot of testing in the last 3+ years...

Use smp_processor_id() instead.

AnalysisAI

A preempt count leak exists in the Linux kernel's i40e network driver within the napi poll tracepoint implementation, where get_cpu() is called without a corresponding put_cpu() to restore the preempt count. This affects all Linux kernel versions containing the vulnerable i40e driver code and can cause kernel accounting errors and potential system instability when the tracepoint is enabled. The vulnerability has no known active exploitation or public proof-of-concept code, and while not formally scored with CVSS, it represents a moderate kernel reliability issue that has persisted undetected for over three years.

Technical ContextAI

The vulnerability exists in the Intel i40e Ethernet driver (cpe:2.3:a:linux:linux) within the Linux kernel's network stack. The root cause is improper use of CPU preemption primitives in the napi poll tracepoint code path. The get_cpu() function increments the kernel's preempt count to prevent task migration, but the original code failed to call the corresponding put_cpu() function to decrement it. This violates the fundamental pairing requirement for preemption-disabling operations in the Linux kernel. When the tracepoint fires during network receive softirq processing, the preempt count becomes unbalanced, causing the kernel to report anomalies like 'entered softirq with preempt_count 00000100, exited with 00000101'. The fix replaces get_cpu() with smp_processor_id(), which reads the current CPU ID without modifying preempt state, addressing the core issue that the preempt count modification was unnecessary for the intended operation.

RemediationAI

Apply the upstream Linux kernel patch by updating to a fixed kernel version through your distribution's package manager. Users should identify which stable kernel series they are running and apply the corresponding fix commit (b7e91827e1cf89cd34ad11dc8f8c010b70ab786e for mainline or equivalent backports for earlier series) available via https://git.kernel.org/stable. For distributions like Ubuntu, RHEL, Debian, and others, this fix should appear in the next kernel security update for affected versions. Until patching is completed, disable i40e napi poll tracepoints if they have been explicitly enabled for debugging by removing any active tracepoint rules via the tracefs interface (echo 0 > /sys/kernel/debug/tracing/events/i40e/napi_poll/enable). Most production systems running default kernel configurations are unaffected since tracepoints are typically disabled by default; the vulnerability primarily impacts systems with active kernel tracing or debugging enabled.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy