Cyber Resilience

CVE-2026-23013

High

Published: 25 January 2026

Published
25 January 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23013 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23013 is a use-after-free vulnerability (CWE-416) in the Linux kernel's octeon_ep_vf network driver, affecting MSI-X queue IRQ handling. The issue arises in octep_vf_request_irqs(), where IRQs are requested with a dev_id set to ioq_vector. During partial failure rollback, free_irq() is called with a mismatched dev_id of 'oct', leaving the irqaction registered even as ioq_vector is freed later. This can trigger a use-after-free or kernel crash when an interrupt fires. The vulnerability carries a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-25.

A local attacker with low privileges (PR:L) can exploit this vulnerability, though it requires high attack complexity (AC:H) and local access (AV:L) with no user interaction. Successful exploitation leads to a use-after-free condition, potentially allowing arbitrary code execution, data corruption, or denial of service via kernel crash when a relevant interrupt occurs during driver teardown.

Mitigation involves applying the upstream kernel patches referenced in the stable commit fixes: aa05a8371ae4a452df623f7202c72409d3c50e40, aa4c066229b05fc3d3c5f42693d25b1828533b6e, and f93fc5d12d69012788f82151bee55fce937e1432. These commits correct the error path to use the matching ioq_vector dev_id in free_irq() calls, preventing the mismatch and subsequent use-after-free. Security practitioners should update affected Linux kernels, particularly those using the octeon_ep_vf driver on compatible hardware.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id…

more

set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in network driver enables privilege escalation via arbitrary code execution or DoS on interrupt during driver teardown.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 6.9 · 6.9.1 — 6.12.67 · 6.13 — 6.18.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the referenced kernel patches that correct the dev_id mismatch in octep_vf_request_irqs() rollback, eliminating the root cause of the use-after-free.

prevent

Implements memory protection mechanisms that can block or contain exploitation of the use-after-free when an interrupt fires after ioq_vector is freed.

prevent

Enforces least functionality by disabling or not loading the octeon_ep_vf driver on systems where the vulnerable MSI-X IRQ handling is unnecessary, reducing exposure surface.

References