FKIE_CVE-2026-23255

Vulnerability from fkie_nvd - Published: 2026-03-18 18:16 - Updated: 2026-04-27 14:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period. Define ptype_iter_state to carry a dev pointer along seq_net_private: struct ptype_iter_state { struct seq_net_private p; struct net_device *dev; // added in this patch }; We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes. We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values) Many thanks to Dong Chenchen for providing a repro.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add proper RCU protection to /proc/net/ptype\n\nYin Fengwei reported an RCU stall in ptype_seq_show() and provided\na patch.\n\nReal issue is that ptype_seq_next() and ptype_seq_show() violate\nRCU rules.\n\nptype_seq_show() runs under rcu_read_lock(), and reads pt-\u003edev\nto get device name without any barrier.\n\nAt the same time, concurrent writers can remove a packet_type structure\n(which is correctly freed after an RCU grace period) and clear pt-\u003edev\nwithout an RCU grace period.\n\nDefine ptype_iter_state to carry a dev pointer along seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // added in this patch\n};\n\nWe need to record the device pointer in ptype_get_idx() and\nptype_seq_next() so that ptype_seq_show() is safe against\nconcurrent pt-\u003edev changes.\n\nWe also need to add full RCU protection in ptype_seq_next().\n(Missing READ_ONCE() when reading list.next values)\n\nMany thanks to Dong Chenchen for providing a repro."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: a\u00f1adir protecci\u00f3n RCU adecuada a /proc/net/ptype\n\nYin Fengwei inform\u00f3 de un bloqueo RCU en ptype_seq_show() y proporcion\u00f3 un parche.\n\nEl problema real es que ptype_seq_next() y ptype_seq_show() violan las reglas RCU.\n\nptype_seq_show() se ejecuta bajo rcu_read_lock(), y lee pt-\u0026gt;dev para obtener el nombre del dispositivo sin ninguna barrera.\n\nAl mismo tiempo, los escritores concurrentes pueden eliminar una estructura packet_type (que se libera correctamente despu\u00e9s de un per\u00edodo de gracia RCU) y borrar pt-\u0026gt;dev sin un per\u00edodo de gracia RCU.\n\nDefinir ptype_iter_state para llevar un puntero dev junto con seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // a\u00f1adido en este parche\n};\n\nNecesitamos registrar el puntero del dispositivo en ptype_get_idx() y ptype_seq_next() para que ptype_seq_show() est\u00e9 a salvo de cambios concurrentes en pt-\u0026gt;dev.\n\nTambi\u00e9n necesitamos a\u00f1adir protecci\u00f3n RCU completa en ptype_seq_next().\n(Falta READ_ONCE() al leer los valores de list.next)\n\nMuchas gracias a Dong Chenchen por proporcionar una reproducci\u00f3n."
    }
  ],
  "id": "CVE-2026-23255",
  "lastModified": "2026-04-27T14:16:29.743",
  "metrics": {},
  "published": "2026-03-18T18:16:23.687",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.