CVE-2026-23013

HIGH

Linux Kernel - Use-After-Free in octeon_ep_vf IRQ Rollback

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40

Patch

https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e

Patch

https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432

Scores

CVSS v3 7.0

EPSS 0.0002

EPSS Percentile 4.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416

Status published

Products (13)

linux/Kernel 6.13.0 - 6.18.7linux

linux/Kernel 6.9.0 - 6.12.67linux

Linux/Linux < 6.9

Linux/Linux 1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 - aa05a8371ae4a452df623f7202c72409d3c50e40

Linux/Linux 1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 - aa4c066229b05fc3d3c5f42693d25b1828533b6e

Linux/Linux 1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 - f93fc5d12d69012788f82151bee55fce937e1432

Linux/Linux 6.12.67 - 6.12.*

Linux/Linux 6.18.7 - 6.18.*

Linux/Linux 6.19

Linux/Linux 6.9

... and 3 more

Published Jan 25, 2026

Tracked Since Feb 18, 2026