CVE-2026-23257 in Linux
Summary
by MITRE • 03/18/2026
In the Linux kernel, the following vulnerability has been resolved:
net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
In setup_nic_devices(), the initialization loop jumps to the label setup_nic_dev_free on failure. The current cleanup loop while(i--) skip the failing index i, causing a memory leak.
Fix this by changing the loop to iterate from the current index i down to 0.
Also, decrement i in the devlink_alloc failure path to point to the last successfully allocated index.
Compile tested only. Issue found using code review.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/21/2026
The vulnerability identified as CVE-2026-23257 resides within the Linux kernel's liquidio network driver implementation, specifically affecting the PF (Physical Function) setup_nic_devices() function. This represents a critical memory management flaw that can lead to resource exhaustion and potential system instability. The liquidio driver is designed to support specific network hardware and operates at the kernel level where such defects can have severe operational consequences. The issue manifests as an off-by-one error during the device setup cleanup phase, where the driver fails to properly release allocated resources when initialization encounters failures.
The technical flaw occurs in the cleanup loop implementation within the setup_nic_devices() function where the code employs a decrementing loop structure while(i--) that skips the failing index during resource deallocation. This programming error creates a memory leak scenario where resources allocated at the failing index remain unreleased, while the loop correctly processes all previously allocated devices. The improper loop logic causes the driver to bypass cleanup of the specific device that triggered the failure condition, leading to accumulation of unreleased memory allocations. This type of error falls under CWE-129, which addresses improper validation of array indices, and CWE-457, which covers use of uninitialized variables, as the cleanup mechanism fails to properly account for all allocated resources.
The operational impact of this vulnerability extends beyond simple memory leaks to potentially compromise system stability and performance. When the liquidio driver encounters initialization failures during network device setup, the incomplete cleanup process can result in progressive memory consumption that may eventually lead to system resource exhaustion. This degradation in system resources can manifest as reduced performance, application instability, or even complete system crashes under sustained load conditions. The vulnerability is particularly concerning in high-throughput network environments where the liquidio driver is actively managing multiple network interfaces and where resource leaks can compound over time, creating a latent condition that may only become apparent under specific operational stress scenarios.
Mitigation strategies for this vulnerability should focus on immediate code correction through the implementation of the proposed fix, which involves modifying the cleanup loop to iterate from the current failing index down to zero, ensuring all previously allocated resources are properly released. System administrators should prioritize kernel updates that incorporate this specific fix, as the vulnerability affects core network functionality and could be exploited to create denial-of-service conditions. Additionally, monitoring systems should be implemented to track memory usage patterns and identify potential resource leaks in environments where the liquidio driver is actively deployed. The fix aligns with ATT&CK technique T1499.004, which addresses network denial of service through resource exhaustion, and represents a fundamental requirement for maintaining system integrity in networked computing environments. Organizations should also conduct thorough regression testing to ensure that the applied fix does not introduce new behavioral changes or compatibility issues with existing network infrastructure components.