Cyber Resilience

CVE-2026-23098

High

Published: 04 February 2026

Published
04 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 7.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23098 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23098 is a double-free vulnerability (CWE-415) in the Linux kernel's NET/ROM (netrom) implementation, specifically within the nr_route_frame() function. The issue arises because old_skb is freed immediately without checking if nr_neigh->ax25 is NULL; if it is NULL, the caller function frees old_skb again, resulting in a double-free. This affects Linux kernel versions prior to the application of the relevant stable patches.

An attacker on an adjacent network (AV:A) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) can exploit this vulnerability, which has an unchanged scope (S:U) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. Successful exploitation could lead to kernel memory corruption, potentially enabling denial of service, privilege escalation, or arbitrary code execution.

The provided kernel stable commit references detail the fix: patches modify nr_route_frame() to check whether nr_neigh->ax25 is NULL before freeing old_skb, preventing the double-free. Security practitioners should update to kernels incorporating these commits (e.g., 25aab6bfc310, 6e0110ea90313b7c0558a0b77038274a6821caf8, and others listed) and consider disabling NET/ROM if unused, as it is a niche protocol typically for amateur radio over AX.25.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again,…

more

causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Double-free in kernel NET/ROM enables remote exploitation over adjacent network for privilege escalation (T1068) and remote service exploitation leading to kernel RCE/DoS (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43011Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2022-49410Same product: Linux Linux Kernel
CVE-2026-31471Same product: Linux Linux Kernel
CVE-2025-71238Same product: Linux Linux Kernel
CVE-2022-49455Same product: Linux Linux Kernel
CVE-2026-31507Same product: Linux Linux Kernel
CVE-2022-49530Same product: Linux Linux Kernel
CVE-2022-49541Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 6.19 · 2.6.12.1 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the double-free vulnerability in nr_route_frame by requiring timely installation of Linux kernel patches that add the nr_neigh->ax25 NULL check before freeing old_skb.

prevent

Prevents exploitation of the NET/ROM double-free by configuring the system to disable the niche NET/ROM protocol module when not operationally required.

prevent

Mitigates kernel memory corruption from the double-free vulnerability through memory protection mechanisms such as kernel address space layout randomization and supervisor mode execution prevention.

References