Login Sign Up

CVE-2026-23209

N/A Unknown

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's macvlan subsystem allows attackers to crash the kernel or potentially execute arbitrary code. This affects Linux systems using macvlan interfaces in source mode with specific MAC address configurations. Attackers need local access to trigger the vulnerability.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific kernel versions before the fix commits (check git references for exact ranges)
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using macvlan interfaces in MACVLAN_MODE_SOURCE mode with MACVLAN_MACADDR_ADD/SET operations that fail during device registration

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash or potential privilege escalation to kernel-level code execution

🟠

Likely Case

Kernel crash causing denial of service and system instability

🟢

If Mitigated

No impact if macvlan interfaces are not used or proper patches are applied

🌐 Internet-Facing: LOW - Requires local access to trigger
🏢 Internal Only: MEDIUM - Local attackers or misconfigured automation could trigger the vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and specific macvlan configuration to trigger; detailed reproduction steps provided in CVE description

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 11ba9f0dc865, 5dae6b36a7cb, 986967a16214, c43d0e787cbb, cdedcd5aa3f3

Vendor Advisory: https://git.kernel.org/stable/c/

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version 2. Reboot system 3. Verify kernel version contains fix commits

🔧 Temporary Workarounds

Disable macvlan source mode

all

Avoid using macvlan interfaces in MACVLAN_MODE_SOURCE mode

# Do not create macvlan interfaces with 'mode source' parameter

Restrict macvlan creation

all

Limit ability to create macvlan interfaces to trusted users only

# Use Linux capabilities or sudo restrictions to control who can run 'ip link add' commands

🧯 If You Can't Patch

  • Restrict local user access to systems using macvlan interfaces
  • Monitor for macvlan interface creation attempts and investigate anomalies

🔍 How to Verify

Check if Vulnerable:

Check if kernel version is before fix commits: uname -r and compare with patched versions

Check Version:

uname -r

Verify Fix Applied:

Verify kernel contains fix commits: grep -r 'macvlan_flush_sources' /proc/kallsyms or check kernel source

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • macvlan interface creation failures
  • Use-after-free kernel warnings

Network Indicators:

  • Unexpected macvlan interface creation
  • Network interface configuration changes

SIEM Query:

search 'kernel: macvlan' OR 'kernel panic' OR 'use-after-free' in system logs

📊 Metadata

CVE ID: CVE-2026-23209
CVSS v3 Score: N/A (Unknown)
Published: February 14, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON