目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-23294— Linux kernel 安全漏洞

CVSS 7.0 · High EPSS 0.09% · P1

影响版本矩阵 8

厂商产品版本范围状态
LinuxLinux3253cb49cbad4772389d6ef55be75db1f97da910< 6c10b019785dc282c5f45d21e4a3f468b8fd6476affected
3253cb49cbad4772389d6ef55be75db1f97da910< ab1a56c9d99189aa5c6e03940d06e40ba6a28240affected
3253cb49cbad4772389d6ef55be75db1f97da910< 1872e75375c40add4a35990de3be77b5741c252caffected
6.18affected
< 6.18unaffected
6.18.17≤ 6.18.*unaffected
6.19.7≤ 6.19.*unaffected
7.0≤ *unaffected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-23294 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
bpf: Fix race in devmap on PREEMPT_RT
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in devmap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue() and __dev_flush() run atomically with respect to each other on the same CPU, relying on local_bh_disable() to prevent preemption. However, on PREEMPT_RT, local_bh_disable() only calls migrate_disable() (when PREEMPT_RT_NEEDS_BH_LOCK is not set) and does not disable preemption, which allows CFS scheduling to preempt a task during bq_xmit_all(), enabling another task on the same CPU to enter bq_enqueue() and operate on the same per-CPU bq concurrently. This leads to several races: 1. Double-free / use-after-free on bq->q[]: bq_xmit_all() snapshots cnt = bq->count, then iterates bq->q[0..cnt-1] to transmit frames. If preempted after the snapshot, a second task can call bq_enqueue() -> bq_xmit_all() on the same bq, transmitting (and freeing) the same frames. When the first task resumes, it operates on stale pointers in bq->q[], causing use-after-free. 2. bq->count and bq->q[] corruption: concurrent bq_enqueue() modifying bq->count and bq->q[] while bq_xmit_all() is reading them. 3. dev_rx/xdp_prog teardown race: __dev_flush() clears bq->dev_rx and bq->xdp_prog after bq_xmit_all(). If preempted between bq_xmit_all() return and bq->dev_rx = NULL, a preempting bq_enqueue() sees dev_rx still set (non-NULL), skips adding bq to the flush_list, and enqueues a frame. When __dev_flush() resumes, it clears dev_rx and removes bq from the flush_list, orphaning the newly enqueued frame. 4. __list_del_clearprev() on flush_node: similar to the cpumap race, both tasks can call __list_del_clearprev() on the same flush_node, the second dereferences the prev pointer already set to NULL. The race between task A (__dev_flush -> bq_xmit_all) and task B (bq_enqueue -> bq_xmit_all) on the same CPU: Task A (xdp_do_flush) Task B (ndo_xdp_xmit redirect) ---------------------- -------------------------------- __dev_flush(flush_list) bq_xmit_all(bq) cnt = bq->count /* e.g. 16 */ /* start iterating bq->q[] */ <-- CFS preempts Task A --> bq_enqueue(dev, xdpf) bq->count == DEV_MAP_BULK_SIZE bq_xmit_all(bq, 0) cnt = bq->count /* same 16! */ ndo_xdp_xmit(bq->q[]) /* frames freed by driver */ bq->count = 0 <-- Task A resumes --> ndo_xdp_xmit(bq->q[]) /* use-after-free: frames already freed! */ Fix this by adding a local_lock_t to xdp_dev_bulk_queue and acquiring it in bq_enqueue() and __dev_flush(). These paths already run under local_bh_disable(), so use local_lock_nested_bh() which on non-RT is a pure annotation with no overhead, and on PREEMPT_RT provides a per-CPU sleeping lock that serializes access to the bq.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于竞争条件,可能导致双重释放或释放后重用。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux 3253cb49cbad4772389d6ef55be75db1f97da910 ~ 6c10b019785dc282c5f45d21e4a3f468b8fd6476 -
LinuxLinux 6.18 -

二、漏洞 CVE-2026-23294 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-23294 的情报信息

登录查看更多情报信息。

CVE-2026-23294 补丁与修复 (3)

同批安全公告 · Linux · 2026-03-25 · 共 116 条

CVE-2026-233958.8 HIGHLinux kernel 安全漏洞
CVE-2026-317888.2 HIGHLinux kernel 安全漏洞
CVE-2026-233407.8 HIGHLinux kernel 安全漏洞
CVE-2026-233367.8 HIGHLinux kernel 安全漏洞
CVE-2026-233507.8 HIGHLinux kernel 安全漏洞
CVE-2026-233517.8 HIGHLinux kernel 安全漏洞
CVE-2026-233177.8 HIGHLinux kernel 安全漏洞
CVE-2026-233067.8 HIGHLinux kernel 安全漏洞
CVE-2026-233727.8 HIGHLinux kernel 安全漏洞
CVE-2026-233787.8 HIGHLinux kernel 安全漏洞
CVE-2026-233837.8 HIGHLinux kernel 安全漏洞
CVE-2026-233927.8 HIGHLinux kernel 安全漏洞
CVE-2026-233917.8 HIGHLinux kernel 安全漏洞
CVE-2026-233937.8 HIGHLinux kernel 安全漏洞
CVE-2026-232807.8 HIGHLinux kernel 安全漏洞
CVE-2026-232887.8 HIGHLinux kernel 安全漏洞
CVE-2026-233647.4 HIGHLinux kernel 安全漏洞
CVE-2026-23357Linux kernel 安全漏洞
CVE-2026-23358Linux kernel 安全漏洞
CVE-2026-23355Linux kernel 安全漏洞

显示前 20 条,共 116 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-23294

暂无评论


发表评论