Linux Kernel up to 7.0-rc4 IRQ mana_hwc_destroy_channel null pointer dereference

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.8 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel up to 7.0-rc4. It has been rated as critical. This affects the function mana_hwc_destroy_channel of the component IRQ Handler. This manipulation causes null pointer dereference.
The identification of this vulnerability is CVE-2026-23454. There is no exploit available.
Upgrading the affected component is advised.
Details
A vulnerability classified as critical was found in Linux Kernel up to 7.0-rc4. Affected by this vulnerability is the function mana_hwc_destroy_channel of the component IRQ Handler. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.
It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2026-23454 since 01/13/2026. The exploitation appears to be difficult. Technical details of the vulnerability are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 304972 (Linux Distros Unpatched Vulnerability : CVE-2026-23454), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10 or 7.0-rc5 eliminates this vulnerability. Applying the patch e23bf444512cb85d76012080a76cd1f9e967448e/249e905571583a434d4ea8d6f92ccc0eef337115/2b001901f689021acd7bf2dceed74a1bdcaaa1f9/afdb1533eb9c05432aeb793a7280fa827c502f5c/05d345719d85b927cba74afac4d5322de3aa4256/fa103fc8f56954a60699a29215cb713448a39e87 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (304972), EUVD (EUVD-2026-18708) and CERT Bund (WID-SEC-2026-0985). Be aware that VulDB is the high quality source for vulnerability data.
Affected
- Google Container-Optimized OS
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- SUSE openSUSE
- Open Source Linux Kernel
- RESF Rocky Linux
- Microsoft Azure Linux
Product
Type
Vendor
Name
Version
- 6.1.166
- 6.6.129
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.12.26
- 6.12.27
- 6.12.28
- 6.12.29
- 6.12.30
- 6.12.31
- 6.12.32
- 6.12.33
- 6.12.34
- 6.12.35
- 6.12.36
- 6.12.37
- 6.12.38
- 6.12.39
- 6.12.40
- 6.12.41
- 6.12.42
- 6.12.43
- 6.12.44
- 6.12.45
- 6.12.46
- 6.12.47
- 6.12.48
- 6.12.49
- 6.12.50
- 6.12.51
- 6.12.52
- 6.12.53
- 6.12.54
- 6.12.55
- 6.12.56
- 6.12.57
- 6.12.58
- 6.12.59
- 6.12.60
- 6.12.61
- 6.12.62
- 6.12.63
- 6.12.64
- 6.12.65
- 6.12.66
- 6.12.67
- 6.12.68
- 6.12.69
- 6.12.70
- 6.12.71
- 6.12.72
- 6.12.73
- 6.12.74
- 6.12.75
- 6.12.76
- 6.12.77
- 6.18.0
- 6.18.1
- 6.18.2
- 6.18.3
- 6.18.4
- 6.18.5
- 6.18.6
- 6.18.7
- 6.18.8
- 6.18.9
- 6.18.10
- 6.18.11
- 6.18.12
- 6.18.13
- 6.18.14
- 6.18.15
- 6.18.16
- 6.18.17
- 6.18.18
- 6.18.19
- 6.19.0
- 6.19.1
- 6.19.2
- 6.19.3
- 6.19.4
- 6.19.5
- 6.19.6
- 6.19.7
- 6.19.8
- 6.19.9
- 7.0-rc1
- 7.0-rc2
- 7.0-rc3
- 7.0-rc4
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.8
VulDB Base Score: 4.8
VulDB Temp Score: 4.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 7.0
NVD Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Null pointer dereferenceCWE: CWE-476 / CWE-404
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 304972
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-23454
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Kernel 6.1.167/6.6.130/6.12.78/6.18.20/6.19.10/7.0-rc5
Patch: e23bf444512cb85d76012080a76cd1f9e967448e/249e905571583a434d4ea8d6f92ccc0eef337115/2b001901f689021acd7bf2dceed74a1bdcaaa1f9/afdb1533eb9c05432aeb793a7280fa827c502f5c/05d345719d85b927cba74afac4d5322de3aa4256/fa103fc8f56954a60699a29215cb713448a39e87
Timeline
01/13/2026 CVE reserved04/03/2026 Advisory disclosed
04/03/2026 VulDB entry created
06/25/2026 VulDB entry last update
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2026-23454 (🔒)
GCVE (CVE): GCVE-0-2026-23454
GCVE (VulDB): GCVE-100-355159
EUVD: 🔒
CERT Bund: WID-SEC-2026-0985 - Linux Kernel: Mehrere Schwachstellen
Entry
Created: 04/03/2026 18:16Updated: 06/25/2026 10:30
Changes: 04/03/2026 18:16 (60), 04/08/2026 07:16 (2), 04/19/2026 21:50 (1), 05/27/2026 03:52 (11), 06/25/2026 10:30 (7)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.