CVE-2026-23313 Linux CVE debrief

Who should care

Linux system administrators operating kernels 6.2+ with Intel i40e network adapters; organizations running network-intensive workloads with kernel tracepoints enabled; security teams monitoring for local denial-of-service vectors in kernel networking subsystems

Technical summary

The i40e driver's NAPI poll tracepoint uses get_cpu() to obtain the current CPU ID for tracing purposes. This function increments the preempt count but lacks a matching put_cpu() call, causing a preempt count leak. The leak manifests as a kernel warning when softirq exits with a higher preempt count than entry. The fix substitutes smp_processor_id(), which retrieves the CPU ID without preempt count manipulation. Affected code paths involve network receive processing (NET_RX softirq) on systems with Intel i40e adapters. Exploitation requires local access to trigger network receive operations under tracepoint-enabled conditions, leading to potential system instability or denial of service through preempt count corruption.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches (6.6.136+, 6.12.77+, 6.18.17+, 6.19.7+) or mainline 7.0-rc3+ when available
• Monitor kernel logs for softirq preempt count mismatch warnings as indicators of trigger conditions
• Prioritize patching systems with Intel i40e network adapters where NAPI polling and tracepoints are active
• Validate preempt count stability through kernel testing after patch application
• Review custom kernel configurations enabling i40e driver tracepoints for exposure assessment

Evidence notes

CVE published 2026-03-25; modified 2026-05-26. Kernel patches available for stable branches 6.6, 6.12, 6.18, 6.19, and mainline. CPE criteria confirm affected versions: 6.2-6.6.135, 6.7-6.12.76, 6.13-6.18.16, 6.19-6.19.6, and 7.0-rc1/rc2.

Official resources