#VU124192 Exposed IOCTL with Insufficient Access Control in Linux kernel - CVE-2026-23256
Published: March 20, 2026
Vulnerability identifier: #VU124192
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23256
CWE-ID: CWE-782
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a memory leak.
The vulnerability exists due to an off-by-one error in the VF setup_nic_devices() cleanup function in the net: liquidio component when initializing network devices. A local user can trigger a failure during device setup to cause a memory leak.
The vulnerability specifically affects the cleanup logic in setup_nic_devices() where the loop fails to release memory for the current index on error path. This requires the ability to configure or trigger virtual function (VF) device initialization, typically available to privileged users.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/01fbca1e93ec3f39f76c31a8f9afa32ce00da48a
- https://git.kernel.org/stable/c/3bf519e39b51cb08a93c0599870b35a23db1031e
- https://git.kernel.org/stable/c/4640fa5ad5e1a0dbd1c2d22323b7d70a8107dcfd
- https://git.kernel.org/stable/c/52b19b3a22306fe452ec9e8ff96063f4bfb77b99
- https://git.kernel.org/stable/c/6cbba46934aefdfb5d171e0a95aec06c24f7ca30
- https://git.kernel.org/stable/c/71a56b89203ec7e5670d94a61a9b4ae617eca804
- https://git.kernel.org/stable/c/bd680e56e316be92c01568be98d85d7a6c9bd92c