CVE-2026-23046 (GCVE-0-2026-23046)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:00 – Updated: 2026-05-11 21:58
VLAI?
Title
virtio_net: fix device mismatch in devm_kzalloc/devm_kfree
Summary
In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 3788.514074] pc : devm_kfree+0x84/0x98 [ 3788.514076] lr : devm_kfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devm_kfree+0x84/0x98 (P) [ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] [ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] [ 3788.514139] virtio_dev_probe+0x1e0/0x338 [ 3788.514144] really_probe+0xc8/0x3a0 [ 3788.514149] __driver_probe_device+0x84/0x170 [ 3788.514152] driver_probe_device+0x44/0x120 [ 3788.514155] __device_attach_driver+0xc4/0x168 [ 3788.514158] bus_for_each_drv+0x8c/0xf0 [ 3788.514161] __device_attach+0xa4/0x1c0 [ 3788.514164] device_initial_probe+0x1c/0x30 [ 3788.514168] bus_probe_device+0xb4/0xc0 [ 3788.514170] device_add+0x614/0x828 [ 3788.514173] register_virtio_device+0x214/0x258 [ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] [ 3788.514179] vdpa_dev_probe+0xa8/0xd8 [ 3788.514183] really_probe+0xc8/0x3a0 [ 3788.514186] __driver_probe_device+0x84/0x170 [ 3788.514189] driver_probe_device+0x44/0x120 [ 3788.514192] __device_attach_driver+0xc4/0x168 [ 3788.514195] bus_for_each_drv+0x8c/0xf0 [ 3788.514197] __device_attach+0xa4/0x1c0 [ 3788.514200] device_initial_probe+0x1c/0x30 [ 3788.514203] bus_probe_device+0xb4/0xc0 [ 3788.514206] device_add+0x614/0x828 [ 3788.514209] _vdpa_register_device+0x58/0x88 [ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] [ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 [ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 [ 3788.514222] genl_rcv_msg+0x218/0x298 [ 3788.514225] netlink_rcv_skb+0x64/0x138 [ 3788.514229] genl_rcv+0x40/0x60 [ 3788.514233] netlink_unicast+0x32c/0x3b0 [ 3788.514237] netlink_sendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] __arm64_sys_sendto+0x30/0x48 [ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 [ 3788.514255] do_el0_svc+0x48/0xd0 [ 3788.514259] el0_svc+0x48/0x210 [ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 [ 3788.514268] el0t_64_sync+0x198/0x1a0 [ 3788.514271] ---[ end trace 0000000000000000 ]--- Fix by using virtio_device->device consistently for allocation and deallocation
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4944be2f5ad8c74b93e4e272f3a0f1a136bbc438 , < a5e2d902f64c76169c771f584559c82b588090e3 (git)
Affected: 4944be2f5ad8c74b93e4e272f3a0f1a136bbc438 , < acb4bc6e1ba34ae1a34a9334a1ce8474c909466e (git)
Create a notification for this product.
Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.6 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a5e2d902f64c76169c771f584559c82b588090e3",
              "status": "affected",
              "version": "4944be2f5ad8c74b93e4e272f3a0f1a136bbc438",
              "versionType": "git"
            },
            {
              "lessThan": "acb4bc6e1ba34ae1a34a9334a1ce8474c909466e",
              "status": "affected",
              "version": "4944be2f5ad8c74b93e4e272f3a0f1a136bbc438",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.6",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix device mismatch in devm_kzalloc/devm_kfree\n\nInitial rss_hdr allocation uses virtio_device-\u003edevice,\nbut virtnet_set_queues() frees using net_device-\u003edevice.\nThis device mismatch causing below devres warning\n\n[ 3788.514041] ------------[ cut here ]------------\n[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463\n[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa]\n[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G        W           6.18.0 #10 PREEMPT\n[ 3788.514067] Tainted: [W]=WARN\n[ 3788.514069] Hardware name: Marvell CN106XX board (DT)\n[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n[ 3788.514074] pc : devm_kfree+0x84/0x98\n[ 3788.514076] lr : devm_kfree+0x54/0x98\n[ 3788.514079] sp : ffff800084e2f220\n[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f\n[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080\n[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018\n[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000\n[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff\n[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff\n[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c\n[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f\n[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080\n[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000\n[ 3788.514123] Call trace:\n[ 3788.514125]  devm_kfree+0x84/0x98 (P)\n[ 3788.514129]  virtnet_set_queues+0x134/0x2e8 [virtio_net]\n[ 3788.514135]  virtnet_probe+0x9c0/0xe00 [virtio_net]\n[ 3788.514139]  virtio_dev_probe+0x1e0/0x338\n[ 3788.514144]  really_probe+0xc8/0x3a0\n[ 3788.514149]  __driver_probe_device+0x84/0x170\n[ 3788.514152]  driver_probe_device+0x44/0x120\n[ 3788.514155]  __device_attach_driver+0xc4/0x168\n[ 3788.514158]  bus_for_each_drv+0x8c/0xf0\n[ 3788.514161]  __device_attach+0xa4/0x1c0\n[ 3788.514164]  device_initial_probe+0x1c/0x30\n[ 3788.514168]  bus_probe_device+0xb4/0xc0\n[ 3788.514170]  device_add+0x614/0x828\n[ 3788.514173]  register_virtio_device+0x214/0x258\n[ 3788.514175]  virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa]\n[ 3788.514179]  vdpa_dev_probe+0xa8/0xd8\n[ 3788.514183]  really_probe+0xc8/0x3a0\n[ 3788.514186]  __driver_probe_device+0x84/0x170\n[ 3788.514189]  driver_probe_device+0x44/0x120\n[ 3788.514192]  __device_attach_driver+0xc4/0x168\n[ 3788.514195]  bus_for_each_drv+0x8c/0xf0\n[ 3788.514197]  __device_attach+0xa4/0x1c0\n[ 3788.514200]  device_initial_probe+0x1c/0x30\n[ 3788.514203]  bus_probe_device+0xb4/0xc0\n[ 3788.514206]  device_add+0x614/0x828\n[ 3788.514209]  _vdpa_register_device+0x58/0x88\n[ 3788.514211]  octep_vdpa_dev_add+0x104/0x228 [octep_vdpa]\n[ 3788.514215]  vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0\n[ 3788.514218]  genl_family_rcv_msg_doit+0xe4/0x158\n[ 3788.514222]  genl_rcv_msg+0x218/0x298\n[ 3788.514225]  netlink_rcv_skb+0x64/0x138\n[ 3788.514229]  genl_rcv+0x40/0x60\n[ 3788.514233]  netlink_unicast+0x32c/0x3b0\n[ 3788.514237]  netlink_sendmsg+0x170/0x3b8\n[ 3788.514241]  __sys_sendto+0x12c/0x1c0\n[ 3788.514246]  __arm64_sys_sendto+0x30/0x48\n[ 3788.514249]  invoke_syscall.constprop.0+0x58/0xf8\n[ 3788.514255]  do_el0_svc+0x48/0xd0\n[ 3788.514259]  el0_svc+0x48/0x210\n[ 3788.514264]  el0t_64_sync_handler+0xa0/0xe8\n[ 3788.514268]  el0t_64_sync+0x198/0x1a0\n[ 3788.514271] ---[ end trace 0000000000000000 ]---\n\nFix by using virtio_device-\u003edevice consistently for\nallocation and deallocation"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:58:57.316Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e"
        }
      ],
      "title": "virtio_net: fix device mismatch in devm_kzalloc/devm_kfree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23046",
    "datePublished": "2026-02-04T16:00:28.772Z",
    "dateReserved": "2026-01-13T15:37:45.944Z",
    "dateUpdated": "2026-05-11T21:58:57.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23046",
      "date": "2026-05-21",
      "epss": "0.00027",
      "percentile": "0.079"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23046\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T16:16:20.110\",\"lastModified\":\"2026-02-04T16:33:44.537\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio_net: fix device mismatch in devm_kzalloc/devm_kfree\\n\\nInitial rss_hdr allocation uses virtio_device-\u003edevice,\\nbut virtnet_set_queues() frees using net_device-\u003edevice.\\nThis device mismatch causing below devres warning\\n\\n[ 3788.514041] ------------[ cut here ]------------\\n[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463\\n[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa]\\n[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G        W           6.18.0 #10 PREEMPT\\n[ 3788.514067] Tainted: [W]=WARN\\n[ 3788.514069] Hardware name: Marvell CN106XX board (DT)\\n[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\\n[ 3788.514074] pc : devm_kfree+0x84/0x98\\n[ 3788.514076] lr : devm_kfree+0x54/0x98\\n[ 3788.514079] sp : ffff800084e2f220\\n[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f\\n[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080\\n[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018\\n[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000\\n[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff\\n[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff\\n[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c\\n[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f\\n[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080\\n[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000\\n[ 3788.514123] Call trace:\\n[ 3788.514125]  devm_kfree+0x84/0x98 (P)\\n[ 3788.514129]  virtnet_set_queues+0x134/0x2e8 [virtio_net]\\n[ 3788.514135]  virtnet_probe+0x9c0/0xe00 [virtio_net]\\n[ 3788.514139]  virtio_dev_probe+0x1e0/0x338\\n[ 3788.514144]  really_probe+0xc8/0x3a0\\n[ 3788.514149]  __driver_probe_device+0x84/0x170\\n[ 3788.514152]  driver_probe_device+0x44/0x120\\n[ 3788.514155]  __device_attach_driver+0xc4/0x168\\n[ 3788.514158]  bus_for_each_drv+0x8c/0xf0\\n[ 3788.514161]  __device_attach+0xa4/0x1c0\\n[ 3788.514164]  device_initial_probe+0x1c/0x30\\n[ 3788.514168]  bus_probe_device+0xb4/0xc0\\n[ 3788.514170]  device_add+0x614/0x828\\n[ 3788.514173]  register_virtio_device+0x214/0x258\\n[ 3788.514175]  virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa]\\n[ 3788.514179]  vdpa_dev_probe+0xa8/0xd8\\n[ 3788.514183]  really_probe+0xc8/0x3a0\\n[ 3788.514186]  __driver_probe_device+0x84/0x170\\n[ 3788.514189]  driver_probe_device+0x44/0x120\\n[ 3788.514192]  __device_attach_driver+0xc4/0x168\\n[ 3788.514195]  bus_for_each_drv+0x8c/0xf0\\n[ 3788.514197]  __device_attach+0xa4/0x1c0\\n[ 3788.514200]  device_initial_probe+0x1c/0x30\\n[ 3788.514203]  bus_probe_device+0xb4/0xc0\\n[ 3788.514206]  device_add+0x614/0x828\\n[ 3788.514209]  _vdpa_register_device+0x58/0x88\\n[ 3788.514211]  octep_vdpa_dev_add+0x104/0x228 [octep_vdpa]\\n[ 3788.514215]  vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0\\n[ 3788.514218]  genl_family_rcv_msg_doit+0xe4/0x158\\n[ 3788.514222]  genl_rcv_msg+0x218/0x298\\n[ 3788.514225]  netlink_rcv_skb+0x64/0x138\\n[ 3788.514229]  genl_rcv+0x40/0x60\\n[ 3788.514233]  netlink_unicast+0x32c/0x3b0\\n[ 3788.514237]  netlink_sendmsg+0x170/0x3b8\\n[ 3788.514241]  __sys_sendto+0x12c/0x1c0\\n[ 3788.514246]  __arm64_sys_sendto+0x30/0x48\\n[ 3788.514249]  invoke_syscall.constprop.0+0x58/0xf8\\n[ 3788.514255]  do_el0_svc+0x48/0xd0\\n[ 3788.514259]  el0_svc+0x48/0x210\\n[ 3788.514264]  el0t_64_sync_handler+0xa0/0xe8\\n[ 3788.514268]  el0t_64_sync+0x198/0x1a0\\n[ 3788.514271] ---[ end trace 0000000000000000 ]---\\n\\nFix by using virtio_device-\u003edevice consistently for\\nallocation and deallocation\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.