CVE-2026-23326
Published: 25 March 2026
Summary
CVE-2026-23326 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23326 is a vulnerability in the Linux kernel's xsk (AF_XDP) implementation that leads to a buffer leak. Following commit b692bf9a7543, which repurposed the list_node field for both the xskb pool list and the buffer free list, the xp_free() function incorrectly skips adding buffers to the free list. This occurs because list_del() removes nodes from the pool list without reinitializing the node pointers, causing list_empty(&xskb->list_node) to return false even after removal.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high impacts on confidentiality, integrity, and availability, mapped to CWE-787. The buffer leak could facilitate memory exhaustion or enable further privilege escalation or data exposure through mishandled high-performance networking buffers.
Mitigation involves applying kernel patches from stable repositories, such as those at the referenced commit URLs (e.g., https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35). These patches replace list_del() with list_del_init() across fragment handling paths, ensuring proper node reinitialization so list_empty() functions correctly and prevents the leak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15279
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the…
more
buffer free list, this causes a buffer leak as described below. xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list. Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel buffer leak in AF_XDP enables privilege escalation via memory corruption/exhaustion paths (CWE-787).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates identification, reporting, and correction of the Linux kernel flaw causing buffer leaks in xsk fragment handling via timely patching.
Directly implements controls to minimize the impact of memory leaks, such as the buffer leak triggered by improper list_del() usage in the kernel's xsk implementation.
Enables periodic vulnerability scanning to identify systems running kernel versions affected by CVE-2026-23326 buffer leak.