CVE-2026-23103
Published: 04 February 2026
Summary
CVE-2026-23103 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the improper per-device addrs_lock flaw in the Linux kernel's ipvlan module through patching.
Enables proactive detection of vulnerable Linux kernel versions affected by CVE-2026-23103 via regular vulnerability scanning, facilitating remediation before local exploitation.
Prevents exposure to the ipvlan race condition by prohibiting or restricting nonessential kernel modules like ipvlan when not required for system functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition in ipvlan enables privilege escalation to achieve full C/I/A impact from low-privileged context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change…
more
must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths.
Deeper analysisAI
CVE-2026-23103 is a vulnerability in the Linux kernel's ipvlan module stemming from improper locking of the addrs_lock, which was implemented per ipvlan device rather than per port. This design flaw creates race conditions during address management, particularly for IPv6, where changes can occur without the RTNL lock. Specifically, it enables false negatives in ipvlan_addr_busy() checks—where one interface iterates addresses under one lock while another adds an IP under a different lock—and races in ipvlan_ht_addr_add() due to inconsistent locking. Forgotten locks in ipvlan_open() and ipvlan_close() exacerbate the issue, though simultaneous calls to ipvlan_add_addr() on multiple CPUs are unlikely.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U). The CVSS v3.1 base score is 7.8. Exploitation likely involves triggering the races during IPv6 address events to disrupt or manipulate ipvlan port address handling.
Mitigation involves applying kernel patches from the stable repository, as detailed in the referenced commits: 04ba6de6eff61238e5397c14ac26a6578c7735a5 (introduces per-port addrs_lock), 1f300c10d92c547c3a7d978e1212ff52f18256ed, 3c149b662cbb202a450e81f938e702ba333864ad, 6a81e2db096913d7e43aada1c350c1282e76db39, and 70feb16e3fbfb10b15de1396557c38e99f1ab8df. These changes fix locking oversights without impacting performance on fast paths, as address add/remove operations are infrequent. The vulnerability is associated with CWE-667 (Improper Locking).
Details
- CWE(s)