HIGH Published 2026-04-03

igc XSK UAF

CVE-2026-23445

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI5.5MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: igc: fix page fault in XDP TX timestamps handling If an XDP application that requested TX timestamping is shutting down while the link of the interface in use is still up the following kernel splat is reported: [ 883.803618] [ T1554] BUG: unable to handle page fault for address: ffffcfb6200fd008 ... [ 883.803650] [ T1554] Call Trace: [ 883.803652] [ T1554] <TASK> [ 883.803654] [ T1554] igc_ptp_tx_tstamp_event+0xdf/0x160 [igc] [ 883.803660] [ T1554] igc_tsync_interrupt+0x2d5/0x300 [igc] ... During shutdown of the TX ring the xsk_meta pointers are left behind, so that the IRQ handler is trying to touch them. This issue is now being fixed by cleaning up the stale xsk meta data on TX shutdown. TX timestamps on other queues remain unaffected.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems using Intel I225/I226 Ethernet controllers with XDP applications requesting TX timestamping are vulnerable to kernel crashes during application shutdown. The vulnerability causes a page fault when interrupt handlers access freed XSK metadata pointers, leading to system instability.

Affecteddrivers/net/ethernet/intel/igc/igc_ptp.c (Intel igc network driver)

Vulnerability analysis

The root cause is improper cleanup of XSK (AF_XDP socket) metadata pointers during TX ring shutdown. When an XDP application with TX timestamping requests terminates while the network interface remains active, the xsk_meta pointers in the timestamp request structures are not cleared. Subsequently, hardware timestamp interrupts attempt to access these stale pointers, causing a page fault in igc_ptp_tx_tstamp_event(). The fix adds igc_ptp_clear_xsk_tx_tstamp_queue() to properly clean up pending XSK timestamp requests during TX ring cleanup, preventing the use-after-free condition. This is a local vulnerability requiring privileged access to create XDP sockets and configure hardware timestamping.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.78	`5e4c90c94eb7`
6.18	6.18.20	`31521c124e64`
6.19	6.19.10	`b02fa17d1744`
mainline	7.0	`45b33e805bd3`