{ "affected": [ { "ranges": [ { "events": [ { "introduced": "560c974b7ccd95bb9ff20df77f6654283e45c9c6" }, { "fixed": "5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" }, { "events": [ { "introduced": "fd5614763805d6f386bd07cc53558f88b1b1eb62" }, { "fixed": "2a9ea988465ece5b6896b1bdc144170a64e84c35" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" }, { "events": [ { "introduced": "b692bf9a7543af7ad11a59d182a3757578f0ba53" }, { "fixed": "645c6d8376ad4913cbffe0e0c2cca0c4febbe596" }, { "fixed": "b38cbd4af5034635cff109e08788c63f956f3a69" }, { "fixed": "60abb0ac11dccd6b98fd9182bc5f85b621688861" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] }, { "package": { "ecosystem": "Linux", "name": "Kernel" }, "ranges": [ { "events": [ { "introduced": "6.13.0" }, { "fixed": "6.18.17" } ], "type": "ECOSYSTEM" }, { "events": [ { "introduced": "6.19.0" }, { "fixed": "6.19.7" } ], "type": "ECOSYSTEM" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23326.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: Fix fragment node deletion to prevent buffer leak\n\nAfter commit b692bf9a7543 (\"xsk: Get rid of xdp_buff_xsk::xskb_list_node\"),\nthe list_node field is reused for both the xskb pool list and the buffer\nfree list, this causes a buffer leak as described below.\n\nxp_free() checks if a buffer is already on the free list using\nlist_empty(\u0026xskb-\u003elist_node). When list_del() is used to remove a node\nfrom the xskb pool list, it doesn't reinitialize the node pointers.\nThis means list_empty() will return false even after the node has been\nremoved, causing xp_free() to incorrectly skip adding the buffer to the\nfree list.\n\nFix this by using list_del_init() instead of list_del() in all fragment\nhandling paths, this ensures the list node is reinitialized after removal,\nallowing the list_empty() to work correctly.", "id": "CVE-2026-23326", "modified": "2026-04-01T23:08:17.083990878Z", "published": "2026-03-25T10:27:19.021Z", "references": [ { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/2a9ea988465ece5b6896b1bdc144170a64e84c35" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/60abb0ac11dccd6b98fd9182bc5f85b621688861" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/645c6d8376ad4913cbffe0e0c2cca0c4febbe596" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/b38cbd4af5034635cff109e08788c63f956f3a69" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23326.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23326" } ], "schema_version": "1.7.3", "summary": "xsk: Fix fragment node deletion to prevent buffer leak" }