2439900 – (CVE-2026-23209) CVE-2026-23209 kernel: macvlan: fix error recovery in macvlan_common_newlink()

Bug 2439900 (CVE-2026-23209) - CVE-2026-23209 kernel: macvlan: fix error recovery in macvlan_common_newlink()

Summary: CVE-2026-23209 kernel: macvlan: fix error recovery in macvlan_common_newlink()

Keywords:
Status:	NEW
Alias:	CVE-2026-23209
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-14 17:02 UTC by OSIDB Bzimport
Modified:	2026-04-08 15:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:6036	None	None	None	2026-03-30 02:18:11 UTC
Red Hat Product Errata	RHSA-2026:6037	None	None	None	2026-03-30 02:40:52 UTC
Red Hat Product Errata	RHSA-2026:6153	None	None	None	2026-03-30 11:06:29 UTC
Red Hat Product Errata	RHSA-2026:6164	None	None	None	2026-03-30 15:06:45 UTC
Red Hat Product Errata	RHSA-2026:6310	None	None	None	2026-04-01 00:45:06 UTC
Red Hat Product Errata	RHSA-2026:6632	None	None	None	2026-04-06 07:50:01 UTC
Red Hat Product Errata	RHSA-2026:6692	None	None	None	2026-04-06 16:06:12 UTC
Red Hat Product Errata	RHSA-2026:6953	None	None	None	2026-04-08 03:24:21 UTC
Red Hat Product Errata	RHSA-2026:6954	None	None	None	2026-04-08 03:32:17 UTC
Red Hat Product Errata	RHSA-2026:6961	None	None	None	2026-04-08 05:06:31 UTC
Red Hat Product Errata	RHSA-2026:7003	None	None	None	2026-04-08 08:32:12 UTC
Red Hat Product Errata	RHSA-2026:7013	None	None	None	2026-04-08 12:11:03 UTC
Red Hat Product Errata	RHSA-2026:7100	None	None	None	2026-04-08 15:42:36 UTC

Description OSIDB Bzimport 2026-02-14 17:02:09 UTC

In the Linux kernel, the following vulnerability has been resolved:

macvlan: fix error recovery in macvlan_common_newlink()

valis provided a nice repro to crash the kernel:

ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2

ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20

ping -c1 -I p1 1.2.3.4

He also gave a very detailed analysis:

<quote valis>

The issue is triggered when a new macvlan link is created  with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).

In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():

This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.

vlan is a pointer to the priv data of the link that is being created.

When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():

        if (ops->newlink)
                err = ops->newlink(dev, &params, extack);
        else
                err = register_netdevice(dev);
        if (err < 0) {
                free_netdev(dev);
                goto out;
        }

and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.

Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().

</quote valis>

With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.

Many thanks to valis for following up on this issue.

Comment 1 Alexander B 2026-02-16 15:51:09 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23209-9ad6@gregkh/T

Comment 3 errata-xmlrpc 2026-03-30 02:18:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6036 https://access.redhat.com/errata/RHSA-2026:6036

Comment 4 errata-xmlrpc 2026-03-30 02:40:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6037 https://access.redhat.com/errata/RHSA-2026:6037

Comment 5 errata-xmlrpc 2026-03-30 11:06:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:6153 https://access.redhat.com/errata/RHSA-2026:6153

Comment 6 errata-xmlrpc 2026-03-30 15:06:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:6164 https://access.redhat.com/errata/RHSA-2026:6164

Comment 7 errata-xmlrpc 2026-04-01 00:45:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:6310 https://access.redhat.com/errata/RHSA-2026:6310

Comment 8 errata-xmlrpc 2026-04-06 07:50:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:6632 https://access.redhat.com/errata/RHSA-2026:6632

Comment 9 errata-xmlrpc 2026-04-06 16:06:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:6692 https://access.redhat.com/errata/RHSA-2026:6692

Comment 10 errata-xmlrpc 2026-04-08 03:24:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:6953 https://access.redhat.com/errata/RHSA-2026:6953

Comment 11 errata-xmlrpc 2026-04-08 03:32:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:6954 https://access.redhat.com/errata/RHSA-2026:6954

Comment 12 errata-xmlrpc 2026-04-08 05:06:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:6961 https://access.redhat.com/errata/RHSA-2026:6961

Comment 13 errata-xmlrpc 2026-04-08 08:32:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:7003 https://access.redhat.com/errata/RHSA-2026:7003

Comment 14 errata-xmlrpc 2026-04-08 12:11:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:7013 https://access.redhat.com/errata/RHSA-2026:7013

Comment 15 errata-xmlrpc 2026-04-08 15:42:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:7100 https://access.redhat.com/errata/RHSA-2026:7100

Note You need to log in before you can comment on or make changes to this bug.