Cyber Resilience

CVE-2026-23326

High

Published: 25 March 2026

Published
25 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23326 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23326 is a vulnerability in the Linux kernel's xsk (AF_XDP) implementation that leads to a buffer leak. Following commit b692bf9a7543, which repurposed the list_node field for both the xskb pool list and the buffer free list, the xp_free() function incorrectly skips adding buffers to the free list. This occurs because list_del() removes nodes from the pool list without reinitializing the node pointers, causing list_empty(&xskb->list_node) to return false even after removal.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high impacts on confidentiality, integrity, and availability, mapped to CWE-787. The buffer leak could facilitate memory exhaustion or enable further privilege escalation or data exposure through mishandled high-performance networking buffers.

Mitigation involves applying kernel patches from stable repositories, such as those at the referenced commit URLs (e.g., https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35). These patches replace list_del() with list_del_init() across fragment handling paths, ensuring proper node reinitialization so list_empty() functions correctly and prevents the leak.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the…

more

buffer free list, this causes a buffer leak as described below. xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list. Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel buffer leak in AF_XDP enables privilege escalation via memory corruption/exhaustion paths (CWE-787).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13, 7.0 · 6.13.1 — 6.18.17 · 6.19 — 6.19.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates identification, reporting, and correction of the Linux kernel flaw causing buffer leaks in xsk fragment handling via timely patching.

prevent

Directly implements controls to minimize the impact of memory leaks, such as the buffer leak triggered by improper list_del() usage in the kernel's xsk implementation.

detect

Enables periodic vulnerability scanning to identify systems running kernel versions affected by CVE-2026-23326 buffer leak.

References