CVE-2026-23162
Published: 14 February 2026
Summary
CVE-2026-23162 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the double-free vulnerability by requiring timely remediation through application of the specific upstream Linux kernel patches.
Addresses the root cause of improper error handling in the xe_nvm_init failure path that leads to the double-free during auxiliary device initialization.
Provides memory protection mechanisms that mitigate exploitation of the double-free memory corruption in the Linux kernel's drm/xe/nvm subsystem.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free memory corruption in kernel driver enables local exploitation for privilege escalation to achieve arbitrary code execution.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm: Fix double-free on aux add failure After a successful auxiliary_device_init(), aux_dev->dev.release (xe_nvm_release_dev()) is responsible for the kfree(nvm). When there is failure with auxiliary_device_add(), driver will call auxiliary_device_uninit(), which call…
more
put_device(). So that the .release callback will be triggered to free the memory associated with the auxiliary_device. Move the kfree(nvm) into the auxiliary_device_init() failure path and remove the err goto path to fix below error. " [ 13.232905] ================================================================== [ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe] [ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273 [ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary) ... [ 13.233125] Call Trace: [ 13.233126] <TASK> [ 13.233127] dump_stack_lvl+0x7f/0xc0 [ 13.233132] print_report+0xce/0x610 [ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0 [ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe] ... " v2: drop err goto path. (Alexander) (cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)
Deeper analysisAI
CVE-2026-23162 is a double-free vulnerability (CWE-415) in the Linux kernel's drm/xe/nvm subsystem. The flaw occurs in the xe_nvm_init function during failure handling after auxiliary_device_init succeeds but auxiliary_device_add fails. In this scenario, auxiliary_device_uninit calls put_device, triggering the xe_nvm_release_dev release callback, which frees the associated nvm memory already kfree'd elsewhere, resulting in a double-free. This was detected by KASAN in kernel 6.19.0-rc2 during systemd-udevd execution.
The vulnerability carries a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it with low complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability through memory corruption, such as arbitrary code execution or kernel crashes.
Mitigation requires applying the upstream kernel patches from the referenced stable commits: 32887d8e4bc0696b3cb6c5915a42b39cfd3434f4 and 8a44241b0b83a6047c5448da1fff03fcc29496b5, available at git.kernel.org/stable. These patches move the kfree(nvm) to the auxiliary_device_init failure path and remove the erroneous goto path, with the fix originally cherry-picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215.
Details
- CWE(s)