HIGH
xsk Buffer Node Leak
CVE-2026-23326
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free list, this causes a buffer leak as described below. xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list. Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.
02KernelScan AI Analysis
Risk summary
This vulnerability causes network buffer leaks in systems using AF_XDP sockets, potentially leading to memory exhaustion and denial of service. While it requires local access and specific socket operations, it can impact high-performance networking applications and could be exploited by malicious local users to degrade system performance.
Vulnerability analysis
Summary: A resource leak vulnerability in the XSK (AF_XDP socket) subsystem where network buffers are not properly returned to the free pool due to incorrect list node management.
Root Cause: After commit b692bf9a7543, the list_node field in xdp_buff_xsk was reused for both the xskb pool list and the buffer free list. When buffers are removed from the pool list using list_del(), the node pointers are not reinitialized, causing list_empty() checks in xp_free() to incorrectly return false and skip adding buffers back to the free list.
Attack Surface: This vulnerability affects systems using AF_XDP sockets for high-performance packet processing. It requires local access and the ability to create XSK sockets, typically requiring elevated privileges or specific capabilities. The leak occurs during normal XSK fragment processing operations.
Fix Mechanism: The patch replaces all instances of list_del() with list_del_init() in XSK fragment handling paths. This ensures that after a node is removed from a list, its pointers are reinitialized to point to itself, making subsequent list_empty() checks return true and allowing proper buffer recycling.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.17 | 5172adf9efb8 |
| 6.19 | 6.19.7 | 2a9ea988465e |
| mainline | 7.0 | 645c6d8376ad |