CVE-2026-23046 - Vulnerability Details

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Link	Providers
https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3
https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 3788.514074] pc : devm_kfree+0x84/0x98 [ 3788.514076] lr : devm_kfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devm_kfree+0x84/0x98 (P) [ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] [ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] [ 3788.514139] virtio_dev_probe+0x1e0/0x338 [ 3788.514144] really_probe+0xc8/0x3a0 [ 3788.514149] __driver_probe_device+0x84/0x170 [ 3788.514152] driver_probe_device+0x44/0x120 [ 3788.514155] __device_attach_driver+0xc4/0x168 [ 3788.514158] bus_for_each_drv+0x8c/0xf0 [ 3788.514161] __device_attach+0xa4/0x1c0 [ 3788.514164] device_initial_probe+0x1c/0x30 [ 3788.514168] bus_probe_device+0xb4/0xc0 [ 3788.514170] device_add+0x614/0x828 [ 3788.514173] register_virtio_device+0x214/0x258 [ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] [ 3788.514179] vdpa_dev_probe+0xa8/0xd8 [ 3788.514183] really_probe+0xc8/0x3a0 [ 3788.514186] __driver_probe_device+0x84/0x170 [ 3788.514189] driver_probe_device+0x44/0x120 [ 3788.514192] __device_attach_driver+0xc4/0x168 [ 3788.514195] bus_for_each_drv+0x8c/0xf0 [ 3788.514197] __device_attach+0xa4/0x1c0 [ 3788.514200] device_initial_probe+0x1c/0x30 [ 3788.514203] bus_probe_device+0xb4/0xc0 [ 3788.514206] device_add+0x614/0x828 [ 3788.514209] _vdpa_register_device+0x58/0x88 [ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] [ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 [ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 [ 3788.514222] genl_rcv_msg+0x218/0x298 [ 3788.514225] netlink_rcv_skb+0x64/0x138 [ 3788.514229] genl_rcv+0x40/0x60 [ 3788.514233] netlink_unicast+0x32c/0x3b0 [ 3788.514237] netlink_sendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] __arm64_sys_sendto+0x30/0x48 [ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 [ 3788.514255] do_el0_svc+0x48/0xd0 [ 3788.514259] el0_svc+0x48/0x210 [ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 [ 3788.514268] el0t_64_sync+0x198/0x1a0 [ 3788.514271] ---[ end trace 0000000000000000 ]--- Fix by using virtio_device->device consistently for allocation and deallocation
Title		virtio_net: fix device mismatch in devm_kzalloc/devm_kfree
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3 https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23046", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.944Z", "datePublished": "2026-02-04T16:00:28.772Z", "dateUpdated": "2026-02-04T16:00:28.772Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-04T16:00:28.772Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix device mismatch in devm_kzalloc/devm_kfree\n\nInitial rss_hdr allocation uses virtio_device->device,\nbut virtnet_set_queues() frees using net_device->device.\nThis device mismatch causing below devres warning\n\n[ 3788.514041] ------------[ cut here ]------------\n[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463\n[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa]\n[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT\n[ 3788.514067] Tainted: [W]=WARN\n[ 3788.514069] Hardware name: Marvell CN106XX board (DT)\n[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n[ 3788.514074] pc : devm_kfree+0x84/0x98\n[ 3788.514076] lr : devm_kfree+0x54/0x98\n[ 3788.514079] sp : ffff800084e2f220\n[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f\n[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080\n[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018\n[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000\n[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff\n[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff\n[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c\n[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f\n[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080\n[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000\n[ 3788.514123] Call trace:\n[ 3788.514125] devm_kfree+0x84/0x98 (P)\n[ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net]\n[ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net]\n[ 3788.514139] virtio_dev_probe+0x1e0/0x338\n[ 3788.514144] really_probe+0xc8/0x3a0\n[ 3788.514149] __driver_probe_device+0x84/0x170\n[ 3788.514152] driver_probe_device+0x44/0x120\n[ 3788.514155] __device_attach_driver+0xc4/0x168\n[ 3788.514158] bus_for_each_drv+0x8c/0xf0\n[ 3788.514161] __device_attach+0xa4/0x1c0\n[ 3788.514164] device_initial_probe+0x1c/0x30\n[ 3788.514168] bus_probe_device+0xb4/0xc0\n[ 3788.514170] device_add+0x614/0x828\n[ 3788.514173] register_virtio_device+0x214/0x258\n[ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa]\n[ 3788.514179] vdpa_dev_probe+0xa8/0xd8\n[ 3788.514183] really_probe+0xc8/0x3a0\n[ 3788.514186] __driver_probe_device+0x84/0x170\n[ 3788.514189] driver_probe_device+0x44/0x120\n[ 3788.514192] __device_attach_driver+0xc4/0x168\n[ 3788.514195] bus_for_each_drv+0x8c/0xf0\n[ 3788.514197] __device_attach+0xa4/0x1c0\n[ 3788.514200] device_initial_probe+0x1c/0x30\n[ 3788.514203] bus_probe_device+0xb4/0xc0\n[ 3788.514206] device_add+0x614/0x828\n[ 3788.514209] _vdpa_register_device+0x58/0x88\n[ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa]\n[ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0\n[ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158\n[ 3788.514222] genl_rcv_msg+0x218/0x298\n[ 3788.514225] netlink_rcv_skb+0x64/0x138\n[ 3788.514229] genl_rcv+0x40/0x60\n[ 3788.514233] netlink_unicast+0x32c/0x3b0\n[ 3788.514237] netlink_sendmsg+0x170/0x3b8\n[ 3788.514241] __sys_sendto+0x12c/0x1c0\n[ 3788.514246] __arm64_sys_sendto+0x30/0x48\n[ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8\n[ 3788.514255] do_el0_svc+0x48/0xd0\n[ 3788.514259] el0_svc+0x48/0x210\n[ 3788.514264] el0t_64_sync_handler+0xa0/0xe8\n[ 3788.514268] el0t_64_sync+0x198/0x1a0\n[ 3788.514271] ---[ end trace 0000000000000000 ]---\n\nFix by using virtio_device->device consistently for\nallocation and deallocation"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/virtio_net.c"], "versions": [{"version": "4944be2f5ad8c74b93e4e272f3a0f1a136bbc438", "lessThan": "a5e2d902f64c76169c771f584559c82b588090e3", "status": "affected", "versionType": "git"}, {"version": "4944be2f5ad8c74b93e4e272f3a0f1a136bbc438", "lessThan": "acb4bc6e1ba34ae1a34a9334a1ce8474c909466e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/virtio_net.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3"}, {"url": "https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e"}], "title": "virtio_net: fix device mismatch in devm_kzalloc/devm_kfree", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: fix device mismatch in devm_kzalloc/devm_kfree\n\nInitial rss_hdr allocation uses virtio_device->device,\nbut virtnet_set_queues() frees using net_device->device.\nThis device mismatch causing below devres warning\n\n[ 3788.514041] ------------[ cut here ]------------\n[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463\n[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa]\n[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT\n[ 3788.514067] Tainted: [W]=WARN\n[ 3788.514069] Hardware name: Marvell CN106XX board (DT)\n[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n[ 3788.514074] pc : devm_kfree+0x84/0x98\n[ 3788.514076] lr : devm_kfree+0x54/0x98\n[ 3788.514079] sp : ffff800084e2f220\n[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f\n[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080\n[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018\n[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000\n[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff\n[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff\n[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c\n[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f\n[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080\n[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000\n[ 3788.514123] Call trace:\n[ 3788.514125] devm_kfree+0x84/0x98 (P)\n[ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net]\n[ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net]\n[ 3788.514139] virtio_dev_probe+0x1e0/0x338\n[ 3788.514144] really_probe+0xc8/0x3a0\n[ 3788.514149] __driver_probe_device+0x84/0x170\n[ 3788.514152] driver_probe_device+0x44/0x120\n[ 3788.514155] __device_attach_driver+0xc4/0x168\n[ 3788.514158] bus_for_each_drv+0x8c/0xf0\n[ 3788.514161] __device_attach+0xa4/0x1c0\n[ 3788.514164] device_initial_probe+0x1c/0x30\n[ 3788.514168] bus_probe_device+0xb4/0xc0\n[ 3788.514170] device_add+0x614/0x828\n[ 3788.514173] register_virtio_device+0x214/0x258\n[ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa]\n[ 3788.514179] vdpa_dev_probe+0xa8/0xd8\n[ 3788.514183] really_probe+0xc8/0x3a0\n[ 3788.514186] __driver_probe_device+0x84/0x170\n[ 3788.514189] driver_probe_device+0x44/0x120\n[ 3788.514192] __device_attach_driver+0xc4/0x168\n[ 3788.514195] bus_for_each_drv+0x8c/0xf0\n[ 3788.514197] __device_attach+0xa4/0x1c0\n[ 3788.514200] device_initial_probe+0x1c/0x30\n[ 3788.514203] bus_probe_device+0xb4/0xc0\n[ 3788.514206] device_add+0x614/0x828\n[ 3788.514209] _vdpa_register_device+0x58/0x88\n[ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa]\n[ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0\n[ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158\n[ 3788.514222] genl_rcv_msg+0x218/0x298\n[ 3788.514225] netlink_rcv_skb+0x64/0x138\n[ 3788.514229] genl_rcv+0x40/0x60\n[ 3788.514233] netlink_unicast+0x32c/0x3b0\n[ 3788.514237] netlink_sendmsg+0x170/0x3b8\n[ 3788.514241] __sys_sendto+0x12c/0x1c0\n[ 3788.514246] __arm64_sys_sendto+0x30/0x48\n[ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8\n[ 3788.514255] do_el0_svc+0x48/0xd0\n[ 3788.514259] el0_svc+0x48/0x210\n[ 3788.514264] el0t_64_sync_handler+0xa0/0xe8\n[ 3788.514268] el0t_64_sync+0x198/0x1a0\n[ 3788.514271] ---[ end trace 0000000000000000 ]---\n\nFix by using virtio_device->device consistently for\nallocation and deallocation"}], "id": "CVE-2026-23046", "lastModified": "2026-02-04T16:33:44.537", "metrics": {}, "published": "2026-02-04T16:16:20.110", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

Metrics

Affected Vendors & Products

Projects

Metrics

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object