PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23454 Linux CVE debrief

A use-after-free vulnerability exists in the Microsoft Azure Network Adapter (MANA) driver within the Linux kernel. The flaw occurs in `mana_hwc_destroy_channel()` where `hwc->caller_ctx` is freed before the Hardware Channel's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This creates a race condition where an in-flight CQ interrupt handler can dereference freed memory when executing `mana_hwc_handle_resp()` or `mana_hwc_rx_event_handler()`. The root cause is improper teardown ordering: `mana_smc_teardown_hwc()` signals hardware to stop without synchronizing against IRQ handlers already executing on other CPUs, and IRQ synchronization only occurs later in `mana_hwc_destroy_cq()` via `mana_gd_destroy_eq()` → `mana_gd_deregister_irq()`. Since this runs after `kfree(hwc->caller_ctx)`, concurrent interrupt handlers can access freed `caller_ctx` and `rxq->msg_buf` memory. The vulnerability is classified as CWE-416 (Use After Free) with a CVSS 3.1 score of 7.0 (HIGH). Affected versions span Linux kernel 5.13 through 7.0-rc4 across multiple stable branches. The fix reorders teardown to reverse-of-creation order: destroying TX/RX work queues and CQ/EQ before freeing `hwc->caller_ctx`, ensuring all in-flight interrupt handlers complete before memory is freed.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Organizations running Linux systems with Microsoft Azure MANA network adapters, particularly in Azure cloud environments or on-premises deployments using MANA hardware. System administrators managing kernel upgrades for multi-CPU systems where interrupt handler races are more probable. Security teams monitoring for kernel-level memory safety vulnerabilities that could lead to privilege escalation or system instability.

Technical summary

The vulnerability exists in the Microsoft Azure Network Adapter (MANA) driver's hardware channel destruction path. The function `mana_hwc_destroy_channel()` in `drivers/net/ethernet/microsoft/mana/hw_channel.c` frees `hwc->caller_ctx` before destroying the Completion Queue and Event Queue. This ordering allows concurrent interrupt handlers to access freed memory. The fix implements proper reverse-order teardown: destroy TX/RX work queues via `mana_hwc_destroy_wq()`, destroy CQ via `mana_hwc_destroy_cq()`, destroy EQ via `mana_hwc_destroy_eq()`, and only then free `hwc->caller_ctx`. This ensures `mana_gd_deregister_irq()` completes IRQ synchronization before memory is released.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable Linux kernel branches to affected systems. Priority patching for systems using Microsoft Azure MANA network adapters in multi-CPU configurations where interrupt handler races are more Lik
  • Upgrade to fixed kernel versions: 5.15.203 or later, 6.1.168 or later, 6.6.131 or later, 6.12.79 or later, 6.18.21 or later, 6.19.11 or later, or 7.0-rc5 or later
  • Monitor for kernel crashes or NULL pointer dereference oops messages in dmesg logs, particularly in `mana_hwc_handle_resp()` or `mana_hwc_rx_event_handler()` call stacks, which may indicate exploitation attempts or race
  • Review system configurations to identify deployments utilizing MANA (Microsoft Azure Network Adapter) hardware, as this vulnerability is specific to the mana driver subsystem
  • Consider temporary mitigation by avoiding hot-unplug operations of MANA devices if patching is not immediately feasible, as the race condition manifests during channel teardown

Evidence notes

Vulnerability description sourced from NVD CVE record published 2026-04-03 and modified 2026-05-26. CWE-416 classification and CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) from NVD enrichment. Affected version ranges derived from CPE criteria in NVD data: 5.13-5.15.202, 5.16-6.1.167, 6.2-6.6.130, 6.7-6.12.78, 6.13-6.18.20, 6.19-6.19.10, and 7.0-rc1 through rc4. Seven patch commits identified across stable kernel branches.

Official resources

2026-04-03