macvlan: fix error recovery in macvlan_common_newlink()
Summary
| CVE | CVE-2026-23209 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-14 17:15:58 UTC |
| Updated | 2026-04-03 14:16:27 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: <quote valis> The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). </quote valis> With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever "goto destroy_macvlan_port;" path is taken. Many thanks to valis for following up on this issue. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-416
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 da5c6b8ae47e414be47e5e04def15b25d5c962dc git | Not specified |
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a git | Not specified |
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 c43d0e787cbba569ec9d11579ed370b50fab6c9c git | Not specified |
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 11ba9f0dc865136174cb98834280fb21bbc950c7 git | Not specified |
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 986967a162142710076782d5b93daab93a892980 git | Not specified |
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 git | Not specified |
| CNA | Linux | Linux | affected aa5fd0fb77486b8a6764ead8627baa14790e4280 f8db6475a83649689c087a8f52486fcc53e627e9 git | Not specified |
| CNA | Linux | Linux | affected 4.9 | Not specified |
| CNA | Linux | Linux | unaffected 4.9 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.250 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.200 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.163 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.124 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.70 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.10 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c43d0e787cbba569ec9d11579ed370b50fab6c9c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/986967a162142710076782d5b93daab93a892980 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f8db6475a83649689c087a8f52486fcc53e627e9 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/11ba9f0dc865136174cb98834280fb21bbc950c7 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.