Cyber Resilience

CVE-2026-23001

High

Published: 25 January 2026

Published
25 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23001 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23001 is a use-after-free (UAF) vulnerability in the Linux kernel's macvlan driver, specifically within the macvlan_forward_source() function. The issue arises because the vlan pointer in struct macvlan_source_entry lacks proper RCU protection. When macvlan_hash_del_source() is called, the entry->vlan pointer is not cleared before the RCU grace period begins, potentially allowing macvlan_forward_source() to access entries queued for freeing. Although macvlan_dev structures are already RCU-protected as part of netdev_priv(ndev), this gap enables the UAF. The vulnerability carries a CVSS v3.1 base score of 7.8 and is classified under CWE-416.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope. This could enable arbitrary code execution, kernel crashes, or other severe disruptions by manipulating macvlan source entries during forwarding operations.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 15f6faf36e162532bec5cc05eb3fc622108bf2ed, 232afc74a6dde0fe183098e5827921f5ec9bb3f, 484919832e2db6ce1e8add92c469e5d459a516b5, 6dbead9c7677186f22b7981dd085a0feec1f038e, and 7470a7a63dc162f07c26dbf960e41ee1e248d80e. These commits add RCU protection by clearing the entry->vlan pointer before the RCU grace period in macvlan_hash_del_source(), allowing macvlan_forward_source() to safely skip queued entries. Additional discussion is available at https://lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to…

more

skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in macvlan driver directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel
CVE-2026-23077Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.18, 6.19 · 3.18.1 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the UAF flaw in the Linux kernel's macvlan driver by applying upstream patches that add RCU protection to the vlan pointer.

prevent

Prohibits unnecessary kernel drivers like macvlan to eliminate exposure to this driver-specific UAF vulnerability.

prevent

Provides kernel memory protections such as ASLR and non-executable pages that hinder successful exploitation of the macvlan UAF for code execution or crashes.

References