CVE-2026-22994 Overview
A reference count leak vulnerability has been identified in the Linux kernel's BPF subsystem, specifically within the bpf_prog_test_run_xdp() function. This flaw was discovered through syzbot automated testing, which reported a "waiting for sit0 to become free" error indicating improper network device reference management. The vulnerability stems from an error handling path that fails to properly release reference counts obtained during XDP program testing.
Critical Impact
This vulnerability can cause resource exhaustion and denial of service conditions by preventing network devices from being properly unregistered, leading to system instability.
Affected Products
- Linux Kernel (versions with BPF XDP test run support)
- Systems utilizing BPF programs with XDP frags support
- Linux distributions shipping affected kernel versions
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-22994 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-22994
Vulnerability Analysis
The vulnerability exists in the BPF (Berkeley Packet Filter) subsystem's XDP (eXpress Data Path) testing infrastructure. When executing bpf_prog_test_run_xdp(), a reference count is obtained through xdp_convert_md_to_buff() to manage network device resources. Under normal operation, this reference is released by calling xdp_convert_buff_to_md().
The problem arises from error handling code introduced in commit 1c1949982524 which added frags support to bpf_prog_test_run_xdp(). The error handling path in this commit fails to call xdp_convert_buff_to_md() when certain error conditions occur, resulting in a leaked reference count on the network device.
This memory leak manifests as the kernel reporting "unregister_netdevice: waiting for sit0 to become free. Usage count = 2" when attempting to tear down network interfaces, as the leaked reference prevents the device from being properly freed.
Root Cause
The root cause is an incomplete error handling path in the BPF XDP test runner. When commit 1c1949982524 introduced frags support to bpf_prog_test_run_xdp(), it added new error conditions but failed to ensure that xdp_convert_buff_to_md() is called in all exit paths where xdp_convert_md_to_buff() had previously succeeded. This violates the reference counting contract established by commit ec94670fcb3b, which specified that references obtained by xdp_convert_md_to_buff() must be released by xdp_convert_buff_to_md().
Attack Vector
The vulnerability can be triggered by executing BPF programs that exercise the XDP test run functionality under specific error conditions. An attacker with the ability to load and run BPF programs could potentially exploit this to cause denial of service by:
- Repeatedly triggering the error path that leaks references
- Accumulating leaked reference counts on network devices
- Preventing network devices from being properly unregistered
- Eventually exhausting kernel memory resources or causing system instability
The attack requires local access and appropriate privileges to load BPF programs, though unprivileged BPF may be enabled on some systems.
Detection Methods for CVE-2026-22994
Indicators of Compromise
- Kernel log messages containing "unregister_netdevice: waiting for [device] to become free"
- Elevated reference counts on network interfaces that don't decrease over time
- Network interfaces stuck in a pending removal state
- Memory utilization gradually increasing without corresponding workload changes
- BPF-related system calls showing unusual error patterns
Detection Strategies
- Monitor kernel logs (dmesg/syslog) for "unregister_netdevice" warning messages
- Implement alerting on repeated network device unregistration failures
- Track BPF program load and test execution patterns for anomalous behavior
- Use kernel tracing tools (ftrace, eBPF) to monitor bpf_prog_test_run_xdp() error paths
Monitoring Recommendations
- Deploy kernel event monitoring to detect reference count leak patterns
- Configure SentinelOne's Linux agent to alert on suspicious BPF program activity
- Establish baselines for normal BPF test run operations and alert on deviations
- Monitor system stability metrics including network interface states and memory utilization
How to Mitigate CVE-2026-22994
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- Review and restrict BPF program loading permissions using kernel.unprivileged_bpf_disabled sysctl
- Monitor systems for signs of exploitation such as network device unregistration failures
- Consider temporarily disabling BPF test run functionality if not required
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that xdp_convert_buff_to_md() is properly called in all error handling paths within bpf_prog_test_run_xdp(). The following kernel commits contain the fix:
Apply the appropriate patch for your kernel version through your Linux distribution's package manager or by building from updated kernel sources.
Workarounds
- Disable unprivileged BPF access by setting kernel.unprivileged_bpf_disabled=1
- Restrict BPF capabilities using seccomp filters or SELinux/AppArmor policies
- Limit access to BPF test run functionality through capability controls (CAP_BPF, CAP_NET_ADMIN)
- Implement resource limits and monitoring to detect and mitigate DoS conditions
# Configuration example
# Disable unprivileged BPF to prevent non-root exploitation
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled
# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.d/99-bpf-security.conf
# Apply sysctl settings immediately
sysctl -p /etc/sysctl.d/99-bpf-security.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
