{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23326", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:19.021Z", "dateUpdated": "2026-03-25T10:27:19.021Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:19.021Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/xdp/xsk.c"], "versions": [{"version": "560c974b7ccd95bb9ff20df77f6654283e45c9c6", "lessThan": "5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d", "status": "affected", "versionType": "git"}, {"version": "fd5614763805d6f386bd07cc53558f88b1b1eb62", "lessThan": "2a9ea988465ece5b6896b1bdc144170a64e84c35", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "645c6d8376ad4913cbffe0e0c2cca0c4febbe596", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "b38cbd4af5034635cff109e08788c63f956f3a69", "status": "affected", "versionType": "git"}, {"version": "b692bf9a7543af7ad11a59d182a3757578f0ba53", "lessThan": "60abb0ac11dccd6b98fd9182bc5f85b621688861", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/xdp/xsk.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d"}, {"url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35"}, {"url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596"}, {"url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69"}, {"url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861"}], "title": "xsk: Fix fragment node deletion to prevent buffer leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(&xskb->list_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly."}], "id": "CVE-2026-23326", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:29.687", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: xsk: Fix fragment node deletion to prevent buffer leak", "id": "2451215", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451215"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel. An issue in the eXpress Data Path (XDP) socket (xsk) component, specifically during fragment node deletion, can lead to a buffer leak. This occurs because a list node is not properly reinitialized after removal, causing the system to incorrectly manage memory. This could potentially lead to system instability or a denial of service."], "name": "CVE-2026-23326", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23326\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23326\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23326-ffc6@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[560c974b7ccd95bb9ff20df77f6654283e45c9c6,5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[fd5614763805d6f386bd07cc53558f88b1b1eb62,2a9ea988465ece5b6896b1bdc144170a64e84c35)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b692bf9a7543af7ad11a59d182a3757578f0ba53,645c6d8376ad4913cbffe0e0c2cca0c4febbe596)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b692bf9a7543af7ad11a59d182a3757578f0ba53,b38cbd4af5034635cff109e08788c63f956f3a69)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b692bf9a7543af7ad11a59d182a3757578f0ba53,60abb0ac11dccd6b98fd9182bc5f85b621688861)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T13:57:38.513187+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that contains commit b692bf9a7543 or any newer version that uses list_del_init for XDP fragment handling.", "Verify your running kernel version with uname -r or by checking /boot/vmlinuz; ensure it includes the fix before asserting the system is protected.", "If an immediate kernel update is not possible, monitor system memory usage and kernel logs for signs of the xsk buffer leak; apply temporary tuning or restrict XDP traffic until the patch can be deployed.", "Consider disabling or reconfiguring XDP sockets on interfaces that do not need high\u2011speed packet processing to reduce the attack surface until the vulnerability is fully mitigated."], "summary": {"action": "Apply Patch", "impact": "Buffer Leak Leading to Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernel releases that include the flawed xsk fragment handling logic prior to the commit that replaces list_del() with list_del_init(). Users of any distribution\u2019s kernel that has not been updated to include this patch are vulnerable. The issue applies to kernel components associated with network packet handling and XDP socket (xsk) buffers. No specific vendor version numbers are listed; any kernel version lacking the patch is susceptible.", "description_and_impact": "The vulnerability exposes a buffer leak in the Linux kernel\u2019s eXpress Data Path (XDP) socket (xsk) fragment handling. A node removed from the packet buffer pool list was not re\u2011initialized, causing the free\u2011list test to fail and preventing the buffer from being added back to the pool. This results in incrementally increasing memory usage as buffers are leaked. The weakness is a classic buffer leak, classified as CWE\u2011909, and can lead to degraded system performance or denial of service if the leak is exploited extensively.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not currently listed in the CISA KEV catalog. While the description does not state an explicit attack vector, the nature of the bug implies that an attacker would need to trigger the XDP fragment handling path\u2014likely by sending a large number or specially crafted packets to a network interface configured for xsk. This inference points to a local or network\u2011based denial of service risk rather than remote code execution."}}}}, "created": "2026-03-25T21:27:35.030841+00:00", "updated": "2026-03-27T09:49:46.086554+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}