CVE-2026-23001
Published: 25 January 2026
Summary
CVE-2026-23001 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23001 is a use-after-free (UAF) vulnerability in the Linux kernel's macvlan driver, specifically within the macvlan_forward_source() function. The issue arises because the vlan pointer in struct macvlan_source_entry lacks proper RCU protection. When macvlan_hash_del_source() is called, the entry->vlan pointer is not cleared before the RCU grace period begins, potentially allowing macvlan_forward_source() to access entries queued for freeing. Although macvlan_dev structures are already RCU-protected as part of netdev_priv(ndev), this gap enables the UAF. The vulnerability carries a CVSS v3.1 base score of 7.8 and is classified under CWE-416.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope. This could enable arbitrary code execution, kernel crashes, or other severe disruptions by manipulating macvlan source entries during forwarding operations.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 15f6faf36e162532bec5cc05eb3fc622108bf2ed, 232afc74a6dde0fe183098e5827921f5ec9bb3f, 484919832e2db6ce1e8add92c469e5d459a516b5, 6dbead9c7677186f22b7981dd085a0feec1f038e, and 7470a7a63dc162f07c26dbf960e41ee1e248d80e. These commits add RCU protection by clearing the entry->vlan pointer before the RCU grace period in macvlan_hash_del_source(), allowing macvlan_forward_source() to safely skip queued entries. Additional discussion is available at https://lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4615
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to…
more
skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in macvlan driver directly enables privilege escalation via arbitrary code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the UAF flaw in the Linux kernel's macvlan driver by applying upstream patches that add RCU protection to the vlan pointer.
Prohibits unnecessary kernel drivers like macvlan to eliminate exposure to this driver-specific UAF vulnerability.
Provides kernel memory protections such as ASLR and non-executable pages that hinder successful exploitation of the macvlan UAF for code execution or crashes.