HIGH
macvlan Source Entry UAF
CVE-2026-23001
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the Linux kernel's macvlan driver could allow an attacker to cause system crashes or potentially execute arbitrary code. The issue occurs when network packets are processed concurrently with macvlan source entry management, leading to access of freed memory. Systems using macvlan interfaces in source mode are at risk, particularly those processing high volumes of network traffic or in multi-tenant environments.
Vulnerability analysis
Root Cause: The macvlan source mode implementation had a race condition where macvlan_forward_source() could access a macvlan_source_entry->vlan pointer after it was freed. When macvlan_hash_del_source() was called to remove an entry, it would free the entry via RCU but not clear the vlan pointer before the RCU grace period, allowing concurrent readers to access a dangling pointer.
Attack Surface: This vulnerability affects network packet processing in the macvlan driver's source mode. It can be triggered by network traffic patterns that cause concurrent addition/removal of source entries while packets are being forwarded. The attack surface is primarily network-based, requiring the ability to send packets to a system with macvlan interfaces configured in source mode.
Fix Mechanism: The patch adds proper RCU protection by: 1) Changing the vlan field to be RCU-annotated (__rcu), 2) Clearing the vlan pointer to NULL in macvlan_hash_del_source() before the RCU grace period starts, 3) Adding NULL checks in macvlan_forward_source() to skip entries queued for freeing, and 4) Using proper RCU access functions (rcu_dereference, rcu_access_pointer) throughout the code.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | 8133e85b8a3e |
| 5.15 | 5.15.199 | 484919832e2d |
| 6.1 | 6.1.162 | 232afc74a6dd |
| 6.12 | 6.12.67 | 8518712a2ca9 |
| 6.18 | 6.18.7 | 6dbead9c7677 |
| 6.6 | 6.6.122 | 15f6faf36e16 |
| mainline | 6.19 | 7470a7a63dc1 |