CVE-2026-23198
📋 TL;DR
A race condition vulnerability in the Linux kernel's KVM subsystem where deassigning an irqfd (interrupt request file descriptor) incorrectly clobbers routing information, potentially causing use-after-free conditions, NULL pointer dereferences, or list corruption. This affects systems using KVM virtualization with irqfd functionality, particularly on x86 and arm64 architectures.
💻 Affected Systems
- Linux kernel with KVM enabled
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or memory corruption leading to denial of service or potential privilege escalation in virtualized environments.
Likely Case
System crashes or instability when managing virtual machine interrupts, particularly during irqfd deassignment operations.
If Mitigated
Minimal impact with proper patching; the vulnerability requires specific KVM configurations and operations to trigger.
🎯 Exploit Status
Exploitation requires local access to the host system, KVM privileges, and triggering specific race conditions during irqfd deassignment operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check git commits: 2284bc168b148a17b5ca3b37b3d95c411f18a08d, 4385b2f2843549bfb932e0dcf76bf4b065543a3c, 6d14ba1e144e796b5fc81044f08cfba9024ca195, 959a063e7f12524bc1871ad1f519787967bbcd45, b4d37cdb77a0015f51fee083598fa227cc07aaf1
Vendor Advisory: https://git.kernel.org/stable/c/2284bc168b148a17b5ca3b37b3d95c411f18a08d
Restart Required: Yes
Instructions:
1. Identify your Linux kernel version. 2. Check if patches are available for your distribution. 3. Update kernel package through your package manager. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable KVM irqfd functionality
LinuxPrevent use of irqfd interrupts in KVM to avoid triggering the vulnerability
echo 0 > /sys/module/kvm/parameters/enable_irqfd
🧯 If You Can't Patch
- Restrict KVM access to trusted users only
- Monitor system logs for kernel panic or NULL pointer dereference events
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if KVM is enabled: uname -r && lsmod | grep kvmCheck Version:
uname -rVerify Fix Applied:
Verify kernel version after update and check that KVM module loads without errors📡 Detection & Monitoring
Log Indicators:
- Kernel NULL pointer dereference messages
- list_add corruption errors
- BUG: kernel NULL pointer dereference in amd_iommu_update_ga
Network Indicators:
- No network indicators - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "list_add corruption" OR "amd_iommu_update_ga")🔗 References
- https://git.kernel.org/stable/c/2284bc168b148a17b5ca3b37b3d95c411f18a08d
- https://git.kernel.org/stable/c/4385b2f2843549bfb932e0dcf76bf4b065543a3c
- https://git.kernel.org/stable/c/6d14ba1e144e796b5fc81044f08cfba9024ca195
- https://git.kernel.org/stable/c/959a063e7f12524bc1871ad1f519787967bbcd45
- https://git.kernel.org/stable/c/b4d37cdb77a0015f51fee083598fa227cc07aaf1
- https://git.kernel.org/stable/c/b61f9b2fcf181451d0a319889478cc53c001123e
- https://git.kernel.org/stable/c/ff48c9312d042bfbe826ca675e98acc6c623211c
