Login Sign Up

CVE-2026-23192

N/A Unknown
Denial of Service

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's linkwatch subsystem allows an attacker to cause kernel memory corruption by manipulating network device carrier states. This affects all Linux systems with network interfaces, potentially leading to system crashes or privilege escalation.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Versions before the fix commit 2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires ability to create and manipulate network interfaces (typically root or CAP_NET_ADMIN).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to denial of service, or potential privilege escalation if an attacker can control the freed memory region.

🟠

Likely Case

System crash or kernel panic when manipulating network interfaces, particularly tun/tap devices.

🟢

If Mitigated

Minor system instability or crash requiring reboot.

🌐 Internet-Facing: LOW - Requires local access or ability to create/manipulate network interfaces.
🏢 Internal Only: MEDIUM - Local users or processes with network interface manipulation privileges can trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and network interface manipulation privileges. The provided reproduction steps demonstrate triggering the bug.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commit 2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb

Vendor Advisory: https://git.kernel.org/stable/c/2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix commit. 2. Check with your distribution for backported patches. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Restrict network interface creation

Linux

Limit ability to create tun/tap devices to prevent triggering the vulnerability

echo 'install tun /bin/false' >> /etc/modprobe.d/disable-tun.conf
echo 'blacklist tun' >> /etc/modprobe.d/disable-tun.conf
rmmod tun

🧯 If You Can't Patch

  • Restrict user access to network interface manipulation (remove CAP_NET_ADMIN where possible)
  • Monitor for suspicious network interface creation/deletion activities

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if it contains the fix commit: uname -r && git log --oneline | grep '2718ae6af7445ba2ee0abf6365ca43a9a3b16aeb'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is newer than vulnerable versions and contains the fix commit

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • KASAN reports of use-after-free in linkwatch
  • System crashes after network interface operations

Network Indicators:

  • Rapid creation/deletion of tun/tap interfaces
  • Unusual carrier state changes

SIEM Query:

source="kernel" AND ("KASAN: use-after-free" OR "linkwatch" OR "netdev_unlock_ops")

📊 Metadata

CVE ID: CVE-2026-23192
CVSS v3 Score: N/A (Unknown)
Published: February 14, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON