#VU124191 Exposed IOCTL with Insufficient Access Control in Linux kernel - CVE-2026-23257
Published: March 20, 2026
Vulnerability identifier: #VU124191
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23257
CWE-ID: CWE-782
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an off-by-one error in the PF setup_nic_devices() function in the liquidio network driver when handling device initialization cleanup. A local user can trigger improper cleanup of allocated resources to cause a denial of service.
The vulnerability specifically results in a memory leak during device setup failure, which may lead to resource exhaustion over time. Administrative privileges are required to trigger the device setup process.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/293eaad0d6d6b2a37a458c7deb7be345349cd963
- https://git.kernel.org/stable/c/8558aef4e8a1a83049ab906d21d391093cfa7e7f
- https://git.kernel.org/stable/c/a0d2389c8cdc1f05de5eb8663bffe9ed05dca769
- https://git.kernel.org/stable/c/af38d9a5cb49fe9d0d282b44f17fdc1f3270d99d
- https://git.kernel.org/stable/c/d86c58eb005eb99da402452f3db7a6e0eae32815
- https://git.kernel.org/stable/c/f1216b80c9040a904d2ad7c8cd24ca0ff1f36932
- https://git.kernel.org/stable/c/f86bd16280a0f88b538394e0565c56ce4756da99