CVE-2026-23255

MEDIUM

net: add proper RCU protection to /proc/net/ptype

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.

Scores

CVSS v3 5.5
EPSS 0.0011
EPSS Percentile 1.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (20)
linux/Kernel 2.6.12 - 6.1.175linux
linux/Kernel 2.6.12 - 6.18.10linux
linux/Kernel 6.13.0 - 6.18.10linux
linux/Kernel 6.2.0 - 6.6.136linux
linux/Kernel 6.7.0 - 6.12.80linux
Linux/Linux < 2.6.12
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 002a73470b56848e4c81efeaaedd471e92d66d8d
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 589a530ae44d0c80f523fcfd1a15af8087f27d35
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - dcefd3f0b9ed8288654c75254bdcee8e1085e861
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - e974a10a52618f7f57a4bce173a0ed96acd4e5dc
... and 10 more
Published Mar 18, 2026
Tracked Since Mar 18, 2026