CVE-2026-23445
Published: 03 April 2026
Summary
CVE-2026-23445 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and correcting the igc driver flaw by applying kernel patches that clean up stale xsk_meta pointers during TX ring shutdown to prevent page faults.
Ensures receipt and timely implementation of Linux kernel security advisories and stable updates addressing CVE-2026-23445 in the igc driver.
Limits kernel functionality by prohibiting or restricting non-essential XDP TX timestamping in the igc driver, avoiding the shutdown scenario that leaves stale pointers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel driver flaw directly enables privilege escalation (T1068) via crafted XDP TX timestamp shutdown and system/application DoS through page fault exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: igc: fix page fault in XDP TX timestamps handling If an XDP application that requested TX timestamping is shutting down while the link of the interface in use is still…
more
up the following kernel splat is reported: [ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008 ... [ 883.803650] [ T1554] Call Trace: [ 883.803652] [ T1554] <TASK> [ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc] [ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc] ... During shutdown of the TX ring the xsk_meta pointers are left behind, so that the IRQ handler is trying to touch them. This issue is now being fixed by cleaning up the stale xsk meta data on TX shutdown. TX timestamps on other queues remain unaffected.
Deeper analysisAI
CVE-2026-23445 is a vulnerability in the Linux kernel's igc driver that causes a page fault during XDP TX timestamps handling. The issue arises when an XDP application requesting TX timestamping shuts down while the network interface link remains up, leaving stale xsk_meta pointers in the TX ring. This leads to the IRQ handler attempting to access invalid memory, resulting in a kernel splat such as "BUG: unable to handle page fault." The vulnerability affects the igc driver specifically, with TX timestamps on other queues remaining unaffected. It has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by running an XDP application that requests TX timestamping and then shutting it down while the interface link is active. The low attack complexity and lack of user interaction requirements make it feasible under these conditions. Successful exploitation triggers a kernel page fault, potentially leading to high impacts on confidentiality, integrity, and availability as scored by CVSS.
Mitigation is provided through kernel patches available in stable repositories, such as the commits at https://git.kernel.org/stable/c/31521c124e6488c4a81658e35199feb75a988d86, https://git.kernel.org/stable/c/45b33e805bd39f615d9353a7194b2da5281332df, https://git.kernel.org/stable/c/5e4c90c94eb766d70e30694b7fe66862aabaf24b, and https://git.kernel.org/stable/c/b02fa17d1744d19cd3820bdbf6ec5d85547977bf. These fixes clean up stale xsk_meta data during TX ring shutdown to prevent the IRQ handler from accessing invalid pointers. Security practitioners should apply the relevant stable kernel updates to affected systems using the igc driver.
Details
- CWE(s)