CVE-2026-23256 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running kernels that include the liquidio driver should review this fix, especially if they deploy affected kernel series identified by NVD.

Technical summary

In setup_nic_devices(), a failure branches to setup_nic_dev_free for cleanup. The existing while(i--) loop skips the current failing index, so one allocation is not freed and a memory leak results. The fix changes cleanup to iterate from the current index down to 0 so the failing entry is included. NVD maps the issue to CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and lists affected Linux kernel ranges across multiple stable branches, with fixes referenced by several kernel.org stable patch links.

Defensive priority

Medium priority. The vulnerability is local and requires low privileges, but it can still degrade system availability through memory leakage in affected kernel builds. Prioritize patching in environments that use the liquidio driver or track the affected kernel branches.

Recommended defensive actions

• Apply the kernel patches referenced in the NVD record and vendor references.
• Verify whether your deployed Linux kernel version falls within the affected ranges listed by NVD.
• If you do not use the liquidio driver, confirm whether it is built or loadable in your kernel configuration and disable it where appropriate.
• Track downstream distro advisories for backported fixes in supported kernel packages.
• Validate patched kernels in staging before rollout, especially on systems that depend on liquidio hardware.

Evidence notes

Source description states the bug was found through code review and compile tested only. The NVD record classifies it as CWE-193 and provides the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. NVD also lists affected Linux kernel version ranges and multiple kernel.org stable patch references.

Official resources