CVE-2026-23255 in Linux
Summary
by MITRE • 03/18/2026
In the Linux kernel, the following vulnerability has been resolved:
net: add proper RCU protection to /proc/net/ptype
Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch.
Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules.
ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier.
At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->dev without an RCU grace period.
Define ptype_iter_state to carry a dev pointer along seq_net_private:
struct ptype_iter_state {
struct seq_net_private p; struct net_device *dev; // added in this patch };
We need to record the device pointer in ptype_get_idx() and ptype_seq_next() so that ptype_seq_show() is safe against concurrent pt->dev changes.
We also need to add full RCU protection in ptype_seq_next(). (Missing READ_ONCE() when reading list.next values)
Many thanks to Dong Chenchen for providing a repro.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/21/2026
The vulnerability described in CVE-2026-23255 represents a critical race condition within the Linux kernel's networking subsystem that specifically affects the /proc/net/ptype interface. This issue manifests as an RCU (Read-Copy-Update) stall in the ptype_seq_show() function, which is responsible for displaying packet type information through the proc filesystem. The flaw occurs when concurrent readers and writers access the same data structures without proper synchronization mechanisms, creating a scenario where the kernel can become unresponsive during certain operations.
The technical root cause of this vulnerability lies in the improper handling of RCU semantics within the packet type iteration functions. The ptype_seq_show() function executes under rcu_read_lock() protection but attempts to read the pt->dev field without proper barriers or RCU synchronization. Meanwhile, concurrent writers can remove packet_type structures that are correctly freed after an RCU grace period, but they clear the pt->dev field without waiting for an RCU grace period. This creates a race condition where readers may access freed or modified device pointers, leading to potential memory corruption or system hangs. The vulnerability specifically violates CWE-362, which addresses Race Conditions, and more precisely aligns with CWE-367, which deals with Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities in the context of RCU operations.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially causing system instability and denial of service conditions. When the RCU stall occurs during proc filesystem access, it can prevent other kernel operations from progressing, effectively creating a deadlock scenario that may require system reboot to resolve. Attackers could potentially exploit this vulnerability by triggering concurrent access patterns that force the kernel into an RCU stall condition, leading to service disruption. The vulnerability affects systems running Linux kernels that implement the networking subsystem with the problematic packet type handling code, making it relevant to a wide range of server and embedded systems that rely on network packet processing.
The proposed mitigation strategy involves implementing proper RCU protection mechanisms through the introduction of a new data structure ptype_iter_state that carries device pointers along with seq_net_private. This approach ensures that during the iteration process, the device pointer is properly captured and maintained throughout the sequence operations. The solution requires recording device pointers in both ptype_get_idx() and ptype_seq_next() functions to ensure that ptype_seq_show() operates safely against concurrent modifications to pt->dev fields. Additionally, the patch adds full RCU protection by incorporating READ_ONCE() macros when reading list.next values, which prevents the compiler from optimizing away necessary memory barriers and ensures proper ordering of memory operations. This remediation aligns with ATT&CK technique T1499.004, which covers Network Denial of Service, and demonstrates the importance of proper synchronization primitives in kernel space operations. The fix specifically addresses the fundamental flaw in RCU handling by ensuring that all memory accesses during read-side critical sections properly respect the RCU semantics and prevent the race conditions that lead to system instability.