CVE-2026-23072 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

l2tp: Fix memleak in l2tp_udp_encap_recv().

syzbot reported memleak of struct l2tp_session, l2tp_tunnel, sock, etc. [0]

The cited commit moved down the validation of the protocol version in l2tp_udp_encap_recv().

The new place requires an extra error handling to avoid the memleak.

Let's call l2tp_session_put() there.

[0]:
BUG: memory leak unreferenced object 0xffff88810a290200 (size 512): comm "syz.0.17", pid 6086, jiffies 4294944299 hex dump (first 32 bytes): 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc babb6a4f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 __sys_connect_file+0x7a/0xb0 net/socket.c:2089 __sys_connect+0xde/0x110 net/socket.c:2108 __do_sys_connect net/socket.c:2114 [inline]
__se_sys_connect net/socket.c:2111 [inline]
__x64_sys_connect+0x1c/0x30 net/socket.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/30/2026

The vulnerability identified as CVE-2026-23072 represents a memory leak within the Linux kernel's Layer 2 Tunneling Protocol implementation specifically affecting the l2tp_udp_encap_recv() function. This issue was discovered through automated fuzzing by syzbot, which identified unreferenced objects related to l2tp_session, l2tp_tunnel, and sock structures. The memory leak occurs due to improper error handling in the protocol version validation sequence within the L2TP UDP encapsulation receive function. The root cause stems from a code restructuring that moved validation logic to a different position in the function execution flow, creating a gap where memory allocation occurs without proper cleanup mechanisms when validation fails.

The technical flaw manifests as a failure to call l2tp_session_put() in the error path of l2tp_udp_encap_recv(), resulting in unreferenced memory allocations that persist in kernel memory. This memory leak directly impacts system stability and resource utilization over time, particularly in environments where L2TP connections are frequently established and torn down. The vulnerability affects the kernel's memory management subsystem through the SLUB allocator, specifically within the kmalloc_noprof and kzalloc_noprof allocation paths, where the memory leak is traced back to l2tp_session_create function calls. According to CWE classification, this represents a CWE-401: Memory Leak, which occurs when allocated memory is not properly deallocated, creating a persistent resource exhaustion condition.

The operational impact of this vulnerability extends beyond simple memory consumption, as sustained memory leaks can lead to system instability, performance degradation, and potential denial of service conditions. Attackers could exploit this by repeatedly establishing and terminating L2TP connections to accumulate memory leaks, eventually causing system resource exhaustion. The vulnerability particularly affects systems running Linux kernels with L2TP support, including those implementing VPN services, network tunneling protocols, and enterprise networking infrastructure. From an ATT&CK perspective, this vulnerability could be leveraged as part of a resource exhaustion attack pattern, potentially enabling broader system compromise through sustained degradation of kernel memory management capabilities.

Mitigation strategies should focus on applying the upstream fix that ensures proper error handling and memory deallocation in the l2tp_udp_encap_recv() function. System administrators should prioritize kernel updates that include the specific commit addressing this memory leak issue, particularly in production environments where L2TP services are actively utilized. Monitoring for memory allocation patterns and implementing automated alerts for sustained memory usage increases can help detect exploitation attempts. Additionally, network segmentation and access controls should limit exposure to L2TP services, reducing the attack surface while patches are deployed. The fix requires careful implementation to ensure that l2tp_session_put() is called in all error paths while maintaining the intended protocol validation logic, preventing regression in legitimate L2TP functionality.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00121

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!