CVE-2026-23013
Published: 25 January 2026
Summary
CVE-2026-23013 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23013 is a use-after-free vulnerability (CWE-416) in the Linux kernel's octeon_ep_vf network driver, affecting MSI-X queue IRQ handling. The issue arises in octep_vf_request_irqs(), where IRQs are requested with a dev_id set to ioq_vector. During partial failure rollback, free_irq() is called with a mismatched dev_id of 'oct', leaving the irqaction registered even as ioq_vector is freed later. This can trigger a use-after-free or kernel crash when an interrupt fires. The vulnerability carries a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-25.
A local attacker with low privileges (PR:L) can exploit this vulnerability, though it requires high attack complexity (AC:H) and local access (AV:L) with no user interaction. Successful exploitation leads to a use-after-free condition, potentially allowing arbitrary code execution, data corruption, or denial of service via kernel crash when a relevant interrupt occurs during driver teardown.
Mitigation involves applying the upstream kernel patches referenced in the stable commit fixes: aa05a8371ae4a452df623f7202c72409d3c50e40, aa4c066229b05fc3d3c5f42693d25b1828533b6e, and f93fc5d12d69012788f82151bee55fce937e1432. These commits correct the error path to use the matching ioq_vector dev_id in free_irq() calls, preventing the mismatch and subsequent use-after-free. Security practitioners should update affected Linux kernels, particularly those using the octeon_ep_vf driver on compatible hardware.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4616
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id…
more
set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in network driver enables privilege escalation via arbitrary code execution or DoS on interrupt during driver teardown.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the referenced kernel patches that correct the dev_id mismatch in octep_vf_request_irqs() rollback, eliminating the root cause of the use-after-free.
Implements memory protection mechanisms that can block or contain exploitation of the use-after-free when an interrupt fires after ioq_vector is freed.
Enforces least functionality by disabling or not loading the octeon_ep_vf driver on systems where the vulnerable MSI-X IRQ handling is unnecessary, reducing exposure surface.