HIGH
net/ti XDP Leak
CVE-2026-23453
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: Fix memory leak in XDP_DROP for non-zero-copy mode Page recycling was removed from the XDP_DROP path in emac_run_xdp() to avoid conflicts with AF_XDP zero-copy mode, which uses xsk_buff_free() instead. However, this causes a memory leak when running XDP programs that drop packets in non-zero-copy mode (standard page pool mode). The pages are never returned to the page pool, leading to OOM conditions. Fix this by handling cleanup in the caller, emac_rx_packet(). When emac_run_xdp() returns ICSSG_XDP_CONSUMED for XDP_DROP, the caller now recycles the page back to the page pool. The zero-copy path, emac_rx_packet_zc() already handles cleanup correctly with xsk_buff_free().
02KernelScan AI Analysis
Risk summary
Systems using TI ICSSG PRU Ethernet with XDP programs that drop packets can experience memory exhaustion leading to out-of-memory conditions. The vulnerability is triggered by network traffic processed by XDP programs in non-zero-copy mode, making it remotely exploitable for denial of service.
Vulnerability analysis
The root cause is missing page pool cleanup when XDP programs drop packets in non-zero-copy mode. When AF_XDP zero-copy support was added, page recycling was removed from the XDP_DROP path to avoid conflicts, but this created a memory leak where pages are never returned to the page pool. The fix adds explicit page recycling in the caller when XDP_DROP occurs, ensuring proper resource cleanup while preserving zero-copy mode functionality. Attack surface is network-facing through the Ethernet receive path, requiring no privileges to trigger.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.10 | d16d57dedcb6 |
| mainline | 7.0 | 719d3e71691d |