Skip to main content

Linux EUVDEUVD-2026-15279

| CVE-2026-23326 HIGH
Out-of-bounds Write (CWE-787)
2026-03-25 Linux
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:27 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:27 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15279
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xsk: Fix fragment node deletion to prevent buffer leak

After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free list, this causes a buffer leak as described below.

xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list.

Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.

AnalysisAI

This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.

Technical ContextAI

The vulnerability exists in the Linux kernel's Express Data Path (XDP) socket (AF_XDP) buffer management subsystem, specifically in the xsk driver code. Following commit b692bf9a7543, a single list_node field was reused for both tracking buffers in the xskb pool list and the buffer free list. The root cause is improper use of list_del() instead of list_del_init() in fragment handling paths. When list_del() removes a node from the pool list, the node's forward and backward pointers retain stale values, causing the list_empty() check in xp_free() to incorrectly report the node as still linked. This violates the intended contract of list_empty() and creates a use-after-free-like condition where freed buffers are not returned to the free pool. The affected product is the Linux kernel itself (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), impacting all distributions and versions with AF_XDP enabled.

RemediationAI

Update the Linux kernel to a patched version that includes one of the five available fixes (referenced in git.kernel.org/stable/). Most major distributions (Red Hat, Debian, Ubuntu, SUSE) will backport this patch to their supported kernel branches; check your distribution's security advisory portal for the patched kernel version. Until patching is possible, disable AF_XDP functionality if it is not required in your environment (by removing the xsk module or disabling XDP in your network stack configuration). For systems actively using AF_XDP for production workloads, prioritize kernel updates to a version containing the list_del_init() fix, as the vulnerability directly impacts buffer pool integrity in these scenarios.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy