IM
IronMonkey Threat Research

CVE-2026-23103 HIGH

Published: 2026-02-04 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths.

Additional Descriptions (1)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ipvlan: Hacer que el addrs_lock sea por puerto Hacer que el addrs_lock sea por puerto, no por dispositivo ipvlan. El código inicial parece estar escrito bajo la suposición de que cualquier cambio de dirección debe ocurrir bajo RTNL. Pero no es así para el caso de IPv6. Así que 1) Introducir addrs_lock por puerto. 2) Fue necesario corregir lugares donde se olvidó tomar el bloqueo (ipvlan_open/ipvlan_close) Esto parece ser un problema muy menor, sin embargo. Ya que es muy poco probable que ipvlan_add_addr() sea llamado en 2 CPU simultáneamente. Pero, sin embargo, esto podría causar: 1) Falso negativo de ipvlan_addr_busy(): una interfaz iteró a través de todos los port->ipvlans + ipvlan->addrs bajo algún spinlock de ipvlan, y otra añadió IP bajo su propio bloqueo. Aunque esto solo es posible para IPv6, ya que parece que solo ipvlan_addr6_event() puede ser llamado sin rtnl_lock. 2) Condición de carrera ya que ipvlan_ht_addr_add(port) es llamado bajo diferentes bloqueos ipvlan->addrs_lock. Esto no debería afectar el rendimiento, ya que añadir/eliminar IP es una situación rara y el spinlock no se toma en rutas rápidas.

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en CWE-667

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdc3724c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b835cf8c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bcc125e00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc372fc0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc370080> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc373ec0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd83f4c0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bde786dc0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd83ef40> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdc371f00> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bde23d3c0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd129c80> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*

References

Notification
Message here