CVE-2026-23209 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) {
free_netdev(dev); goto out; }
and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever "goto destroy_macvlan_port;" path is taken.
Many thanks to valis for following up on this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability described in CVE-2026-23209 represents a critical use-after-free condition within the Linux kernel's macvlan implementation, specifically affecting the macvlan_common_newlink() function. This flaw occurs when creating a new macvlan link with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD or MACVLAN_MACADDR_SET parameters, particularly when the lower device already contains a macvlan port. The issue manifests during the error recovery phase of link creation when register_netdevice() fails due to invalid parameters such as incorrect link names or duplicate MAC addresses. The technical root cause involves improper cleanup of hash table references when link creation fails, creating a dangling pointer that persists in the kernel's source hash table.
The exploitation scenario begins with the creation of a virtual ethernet pair using ip link add commands followed by the setup of macvlan interfaces with specific parameters that trigger the race condition. When register_netdevice() fails during the macvlan creation process, the system attempts to clean up resources but fails to properly remove the reference to the newly allocated device structure from the source hash table. The macvlan_hash_add_source function adds a reference to the vlan structure (pointing to the private data of the link being created) to the port's vlan_source_hash using macvlan_source_entry. However, when free_netdev() is subsequently called due to the failed registration, the memory associated with the net_device structure is freed while still referenced in the source entry, leading to a use-after-free condition.
The operational impact of this vulnerability is severe as it can lead to arbitrary code execution or system crashes when packets are sent through the affected macvlan port. The use-after-free condition in macvlan_forward_source() allows attackers to potentially corrupt kernel memory and execute malicious code with kernel privileges. This vulnerability directly maps to CWE-416: Use After Free, which is classified under the Common Weakness Enumeration as a critical memory safety issue. The attack vector aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, where an attacker could leverage kernel memory corruption to gain elevated privileges. The vulnerability affects systems running Linux kernel versions where macvlan functionality is enabled and used with the specific combination of source mode and MAC address manipulation parameters.
Mitigation strategies for this vulnerability include immediate patch application from the Linux kernel maintainers, which should ensure that macvlan_flush_sources() is called regardless of the create parameter value when the "goto destroy_macvlan_port;" path is taken. Administrators should also implement network segmentation to limit exposure and monitor for unusual network device creation patterns. The fix requires careful handling of resource cleanup in error paths to prevent dangling references in hash tables, ensuring that all references to freed memory structures are properly removed before memory deallocation occurs. System administrators should also consider disabling unused network virtualization features and maintaining up-to-date kernel versions to prevent exploitation of similar vulnerabilities. The solution must address the fundamental race condition in the error recovery path where cleanup operations are insufficient when device registration fails, particularly in scenarios involving source mode macvlan interfaces with existing lower device ports.