目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%

CVE-2026-23192— Linux kernel 安全漏洞

CVSS 7.8 · High EPSS 0.12% · P3

Possible ATT&CK Techniques 1AI

T1203 · Exploitation for Client Execution

Affected Version Matrix 6

ベンダープロダクトVersion Rangeステータス
LinuxLinux04efcee6ef8d0f01eef495db047e7216d6e6e38f< 2718ae6af7445ba2ee0abf6365ca43a9a3b16aebaffected
04efcee6ef8d0f01eef495db047e7216d6e6e38f< 83b67cc9be9223183caf91826d9c194d7fb128faaffected
6.15affected
< 6.15unaffected
6.18.10≤ 6.18.*unaffected
6.19≤ *unaffected
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2026-23192の基本情報

脆弱性情報

脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
linkwatch: use __dev_put() in callers to prevent UAF
ソース: NVD (National Vulnerability Database)
脆弱性説明
In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in callers to prevent UAF After linkwatch_do_dev() calls __dev_put() to release the linkwatch reference, the device refcount may drop to 1. At this point, netdev_run_todo() can proceed (since linkwatch_sync_dev() sees an empty list and returns without blocking), wait for the refcount to become 1 via netdev_wait_allrefs_any(), and then free the device via kobject_put(). This creates a use-after-free when __linkwatch_run_queue() tries to call netdev_unlock_ops() on the already-freed device. Note that adding netdev_lock_ops()/netdev_unlock_ops() pair in netdev_run_todo() before kobject_put() would not work, because netdev_lock_ops() is conditional - it only locks when netdev_need_ops_lock() returns true. If the device doesn't require ops_lock, linkwatch won't hold any lock, and netdev_run_todo() acquiring the lock won't provide synchronization. Fix this by moving __dev_put() from linkwatch_do_dev() to its callers. The device reference logically pairs with de-listing the device, so it's reasonable for the caller that did the de-listing to release it. This allows placing __dev_put() after all device accesses are complete, preventing UAF. The bug can be reproduced by adding mdelay(2000) after linkwatch_do_dev() in __linkwatch_run_queue(), then running: ip tuntap add mode tun name tun_test ip link set tun_test up ip link set tun_test carrier off ip link set tun_test carrier on sleep 0.5 ip tuntap del mode tun name tun_test KASAN report: ================================================================== BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:33 [inline] BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline] BUG: KASAN: use-after-free in __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245 Read of size 8 at addr ffff88804de5c008 by task kworker/u32:10/8123 CPU: 0 UID: 0 PID: 8123 Comm: kworker/u32:10 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: events_unbound linkwatch_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595 netdev_need_ops_lock include/net/netdev_lock.h:33 [inline] netdev_unlock_ops include/net/netdev_lock.h:47 [inline] __linkwatch_run_queue+0x865/0x8a0 net/core/link_watch.c:245 linkwatch_event+0x8f/0xc0 net/core/link_watch.c:304 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> ==================================================================
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Linux kernel 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于linkwatch_do_dev函数释放后重用,可能导致内核崩溃。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
LinuxLinux 04efcee6ef8d0f01eef495db047e7216d6e6e38f ~ 2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb -
LinuxLinux 6.15 -

II. CVE-2026-23192の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2026-23192のインテリジェンス情報

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-02-14 · 108 CVEs total

CVE-2026-231938.8 HIGHscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
CVE-2026-231728.4 HIGHnet: wwan: t7xx: fix potential skb->frags overflow in RX path
CVE-2026-232097.8 HIGHmacvlan: fix error recovery in macvlan_common_newlink()
CVE-2026-231787.8 HIGHHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
CVE-2026-231847.8 HIGHbinder: fix UAF in binder_netlink_report()
CVE-2026-231857.8 HIGHwifi: iwlwifi: mld: cancel mlo_scan_start_wk
CVE-2026-231717.8 HIGHbonding: fix use-after-free due to enslave fail after slave array update
CVE-2026-231697.8 HIGHmptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
CVE-2026-231917.8 HIGHALSA: aloop: Fix racy access at PCM trigger
CVE-2026-231987.8 HIGHKVM: Don't clobber irqfd routing type when deassigning irqfd
CVE-2026-231367.5 HIGHlibceph: reset sparse-read state in osd_fault()
CVE-2026-231487.5 HIGHnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
CVE-2026-231397.5 HIGHnetfilter: nf_conncount: update last_gc only when GC has been performed
CVE-2026-231617.3 HIGHmm/shmem, swap: fix race of truncate and swap entry split
CVE-2026-232047.1 HIGHnet/sched: cls_u32: use skb_header_pointer_careful()
CVE-2026-231957.0 HIGHcgroup/dmem: avoid pool UAF
CVE-2026-231757.0 HIGHnet: cpsw: Execute ndo_set_rx_mode callback in a work queue
CVE-2026-231807.0 HIGHdpaa2-switch: add bounds check for if_id in IRQ handler
CVE-2026-23138tracing: Add recursion protection in kernel stack trace recording
CVE-2025-71202iommu/sva: invalidate stale IOTLB entries for kernel address space

Showing 20 of 108 CVEs. View all on vendor page →

IV. 関連脆弱性

V. CVE-2026-23192へのコメント

まだコメントはありません


コメントを残す