HIGH
ipmi MessageHandler UAF
CVE-2026-23322
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix use-after-free and list corruption on sender error The analysis from Breno: When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly: 1. intf->curr_msg is not cleared, so no new message is pulled 2. newmsg still points to the message, causing sender() to be called again with the same message 3. If sender() fails again, deliver_err_response() is called with the same recv_msg that was already queued for delivery This causes list_add corruption ("list_add double add") because the recv_msg is added to the user_msgs list twice. Subsequently, the corrupted list leads to use-after-free when the memory is freed and reused, and eventually a NULL pointer dereference when accessing recv_msg->done. The buggy sequence: sender() fails -> deliver_err_response(recv_msg) // recv_msg queued for delivery -> goto restart // curr_msg not cleared! sender() fails again (same message!) -> deliver_err_response(recv_msg) // tries to queue same recv_msg -> LIST CORRUPTION Fix this by freeing the message and setting it to NULL on a send error. Also, always free the newmsg on a send error, otherwise it will leak.
02KernelScan AI Analysis
Risk summary
This vulnerability can cause system instability through memory corruption when IPMI operations fail. An attacker with local access to IPMI interfaces could potentially trigger repeated sender failures to cause list corruption, leading to use-after-free conditions that might result in system crashes or potentially code execution. The impact is primarily availability-focused but could escalate depending on memory layout and exploitation techniques.
Vulnerability analysis
Summary: A use-after-free vulnerability in the IPMI message handler occurs when the SMI sender returns an error, causing improper cleanup that leads to list corruption and memory reuse issues.
Root Cause: When the SMI sender returns an error in smi_work(), the code calls deliver_err_response() to queue an error response but then jumps to 'restart' without properly cleaning up. Specifically: (1) intf->curr_msg is not cleared, preventing new messages from being pulled, (2) newmsg still points to the same message, causing sender() to be called again with the same message, and (3) if sender() fails again, deliver_err_response() is called with the same recv_msg that was already queued, causing list_add corruption due to double-adding the same recv_msg to the user_msgs list.
Attack Surface: This vulnerability affects local access to IPMI functionality. IPMI (Intelligent Platform Management Interface) is typically used for hardware management and monitoring, accessible through local system interfaces. The vulnerability is triggered when SMI sender operations fail, which could occur during normal IPMI operations or potentially be induced through malformed requests to IPMI interfaces.
Fix Mechanism: The fix addresses the cleanup issues by: (1) properly clearing intf->curr_msg to NULL when a send error occurs, (2) always freeing the newmsg on send error to prevent memory leaks, and (3) setting newmsg to NULL after freeing to prevent reuse. The fix includes proper locking around the curr_msg assignment to ensure thread safety.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.17 | c08ec55617cb |
| 6.19 | 6.19.7 | 65ff5d1e4410 |
| mainline | 7.0 | 594c11d0e1d4 |