PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23273 Linux CVE debrief

CVE-2026-23273 describes a Linux kernel macvlan race condition in error handling that can leave a device visible long enough for a concurrent packet path to hit freed memory. The reported impact is a kernel use-after-free in macvlan_forward_source after macvlan_common_newlink() encounters an error and its caller frees the netdev too early without an RCU grace period. The CVSS vector indicates a local, low-privilege attack surface with high confidentiality, integrity, and availability impact.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-04-02
Advisory published
2026-03-20
Advisory updated
2026-04-02

Who should care

Linux kernel maintainers, distro security teams, and operators using macvlan-based networking should treat this as relevant, especially in container, virtual networking, or multi-tenant host environments where macvlan devices are created dynamically.

Technical summary

According to the CVE description, macvlan_common_newlink() may make @dev visible before it detects a creation error. If the caller then directly calls free_netdev(dev) without respecting an RCU grace period, another execution context can still access the device through macvlan packet forwarding paths. The reported reproduction produced a KASAN slab-use-after-free in macvlan_forward_source, showing that the race can be exercised by timing packet delivery against failed macvlan creation. The supplied references point to Linux kernel stable commit pages, indicating that the issue has been addressed in kernel source history, but no affected or fixed version range is provided in the supplied corpus.

Defensive priority

High. This is a kernel memory-safety issue in networking code with high CVSS impact. Even without proof of remote exploitability in the supplied material, the combination of race-triggered use-after-free and kernel context justifies prompt triage and patch verification.

Recommended defensive actions

  • Check whether your Linux kernel build includes the macvlan error-path RCU fix referenced by the supplied kernel commit links.
  • Prioritize patching hosts that create macvlan interfaces dynamically, including container hosts and virtualized networking deployments.
  • Monitor kernel release notes and vendor advisories for backported fixes tied to CVE-2026-23273.
  • If you maintain a custom kernel or out-of-tree networking changes, review macvlan error handling for premature device free paths and RCU assumptions.
  • Use the CVE and NVD records to track final vendor guidance, since the supplied NVD entry is still marked as undergoing analysis.

Evidence notes

The description explicitly states that macvlan_common_newlink() may expose @dev before an error is detected and that the caller then directly frees the netdev, requiring an RCU grace period either in macvlan or the networking core. It also includes a KASAN report showing a slab-use-after-free in macvlan_forward_source, along with allocation and free traces from rtnl_newlink() and kfree(). The CVE metadata gives CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, publishedAt 2026-03-20T09:16:12.847Z, and modifiedAt 2026-04-02T15:16:29.503Z. The supplied NVD record lists vulnerability status as Undergoing Analysis. No KEV entry is present in the supplied corpus.

Official resources

CVE published 2026-03-20T09:16:12.847Z and modified 2026-04-02T15:16:29.503Z. The supplied NVD record remains Undergoing Analysis. No KEV entry is present in the supplied data.