HIGH
octeon_ep_vf IRQ Rollback UAF
CVE-2026-23013
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq().
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the Octeon EP VF network driver occurs when IRQ setup fails partway through. The incorrect cleanup leaves interrupt handlers pointing to freed memory, which can cause crashes or potentially be exploited when interrupts fire after the memory is reused.
Vulnerability analysis
Root Cause: In octep_vf_request_irqs(), MSI-X queue IRQs are registered with dev_id set to ioq_vector, but the error rollback path incorrectly calls free_irq() with dev_id set to 'oct' instead. This dev_id mismatch prevents proper IRQ deregistration, leaving stale irqaction entries that reference the ioq_vector memory.
Attack Surface: Local attack surface requiring device driver initialization to fail at a specific point. The vulnerability is triggered during network device setup when MSI-X IRQ allocation partially fails, making it dependent on hardware presence and driver load timing.
Fix Mechanism: The patch corrects the error rollback loop to use the same ioq_vector dev_id (oct->ioq_vector[i]) when calling free_irq() that was originally used during request_irq(). This ensures proper IRQ cleanup and prevents dangling references.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.67 | aa05a8371ae4 |
| 6.18 | 6.18.7 | aa4c066229b0 |
| mainline | 6.19 | f93fc5d12d69 |