{ "threat_severity" : "Moderate", "public_date" : "2026-02-14T00:00:00Z", "bugzilla" : { "description" : "kernel: macvlan: fix error recovery in macvlan_common_newlink()", "id" : "2439900", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439900" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmacvlan: fix error recovery in macvlan_common_newlink()\nvalis provided a nice repro to crash the kernel:\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\nping -c1 -I p1 1.2.3.4\nHe also gave a very detailed analysis:\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\nThis adds a reference to vlan to the port's vlan_source_hash using\nmacvlan_source_entry.\nvlan is a pointer to the priv data of the link that is being created.\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\nif (ops->newlink)\nerr = ops->newlink(dev, ¶ms, extack);\nelse\nerr = register_netdevice(dev);\nif (err < 0) {\nfree_netdev(dev);\ngoto out;\n}\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device's macvlan port.\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\nMany thanks to valis for following up on this issue.", "A use-after-free vulnerability was found in the macvlan driver. When creating a macvlan interface in source mode fails after the source MAC has been added to the hash table (e.g., due to an invalid interface name), the hash entry still references the freed net_device structure. Subsequent packets matching that source MAC trigger use-after-free in macvlan_forward_source()." ], "statement" : "This vulnerability can be exploited by a local user with CAP_NET_ADMIN to trigger use-after-free by creating a macvlan with an invalid name. The detailed reproducer and analysis were provided by a security researcher. This could potentially be used for privilege escalation via controlled memory corruption.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-06T00:00:00Z", "advisory" : "RHSA-2026:6632", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.49.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-04-06T00:00:00Z", "advisory" : "RHSA-2026:6692", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.66.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6036", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.115.1.rt7.456.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6037", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.115.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6153", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.45.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6153", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.45.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-04-01T00:00:00Z", "advisory" : "RHSA-2026:6310", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.117.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6164", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.103.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23209\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23209\nhttps://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23209-9ad6@gregkh/T" ], "name" : "CVE-2026-23209", "mitigation" : { "value" : "To mitigate this issue, prevent module macvlan from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }