CVE-2026-22994

MEDIUM EPSS 2.1%
Published Jan 23, 20265mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 23, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel*≥5.18  –  <6.1.161
linuxlinux_kernel*≥6.2  –  <6.6.121
linuxlinux_kernel*≥6.7  –  <6.12.66
linuxlinux_kernel*≥6.13  –  <6.18.6
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38
    Patch