HIGH
netrom Route Frame Double-Free
CVE-2026-23098
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb.
02KernelScan AI Analysis
Risk summary
An attacker with local access could potentially trigger memory corruption by sending specially crafted NetROM packets that cause a double-free condition. This could lead to system crashes or potentially arbitrary code execution with kernel privileges.
Vulnerability analysis
Summary: A double-free vulnerability exists in the NetROM routing code where an skb (socket buffer) can be freed twice under certain error conditions.
Root Cause: In nr_route_frame(), the original skb (old_skb) is unconditionally freed after creating a copy via skb_copy_expand(). However, if the subsequent ax25_send_frame() call fails (returns 0) because nr_neigh->ax25 is NULL, the caller function will attempt to free the same skb again, resulting in a double-free condition.
Attack Surface: This vulnerability affects systems using NetROM amateur radio networking protocol. It requires local access to trigger malformed NetROM packets that can cause the vulnerable code path to execute. The bug is reachable through network packet processing but requires specific NetROM protocol usage.
Fix Mechanism: The patch modifies the code to defer freeing the original skb until after checking the return value of ax25_send_frame(). The original skb is now only freed if ax25_send_frame() succeeds (returns non-zero), preventing the double-free scenario when the function fails.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | 25aab6bfc310 |
| 5.15 | 5.15.199 | 6e0110ea9031 |
| 6.1 | 6.1.162 | 7c48fdf2d134 |
| 6.12 | 6.12.68 | 94d1a8bd08af |
| 6.18 | 6.18.8 | 9f5fa78d9980 |
| 6.6 | 6.6.122 | bd8955337e37 |
| mainline | 6.19 | ba1096c31528 |