CVE-2026-23098
Published: 04 February 2026
Summary
CVE-2026-23098 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the double-free vulnerability in nr_route_frame by requiring timely installation of Linux kernel patches that add the nr_neigh->ax25 NULL check before freeing old_skb.
Prevents exploitation of the NET/ROM double-free by configuring the system to disable the niche NET/ROM protocol module when not operationally required.
Mitigates kernel memory corruption from the double-free vulnerability through memory protection mechanisms such as kernel address space layout randomization and supervisor mode execution prevention.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free in kernel NET/ROM enables remote exploitation over adjacent network for privilege escalation (T1068) and remote service exploitation leading to kernel RCE/DoS (T1210).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again,…
more
causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb.
Deeper analysisAI
CVE-2026-23098 is a double-free vulnerability (CWE-415) in the Linux kernel's NET/ROM (netrom) implementation, specifically within the nr_route_frame() function. The issue arises because old_skb is freed immediately without checking if nr_neigh->ax25 is NULL; if it is NULL, the caller function frees old_skb again, resulting in a double-free. This affects Linux kernel versions prior to the application of the relevant stable patches.
An attacker on an adjacent network (AV:A) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) can exploit this vulnerability, which has an unchanged scope (S:U) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. Successful exploitation could lead to kernel memory corruption, potentially enabling denial of service, privilege escalation, or arbitrary code execution.
The provided kernel stable commit references detail the fix: patches modify nr_route_frame() to check whether nr_neigh->ax25 is NULL before freeing old_skb, preventing the double-free. Security practitioners should update to kernels incorporating these commits (e.g., 25aab6bfc310, 6e0110ea90313b7c0558a0b77038274a6821caf8, and others listed) and consider disabling NET/ROM if unused, as it is a niche protocol typically for amateur radio over AX.25.
Details
- CWE(s)