The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23013

CVE-2026-23013: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23013 is a use-after-free flaw in the Linux kernel's octeon_ep_vf driver that can cause system crashes when interrupts fire. This article covers technical details, affected versions, and mitigation steps.

Published: January 30, 2026

CVE-2026-23013 Overview

A Use-After-Free vulnerability has been discovered in the Linux kernel's Octeon EP VF network driver. The flaw exists in the octep_vf_request_irqs() function where MSI-X queue IRQs are requested with dev_id set to ioq_vector. When request_irq() fails partially, the rollback loop incorrectly calls free_irq() with dev_id set to oct instead of the original ioq_vector, causing a mismatch that may leave the irqaction registered.

This improper IRQ cleanup can keep interrupt handlers alive while ioq_vector is later freed during unwind/teardown operations, leading to a use-after-free condition or system crash when an interrupt fires.

Critical Impact

This vulnerability can lead to kernel crashes, denial of service, or potential code execution through use-after-free exploitation when the affected network driver encounters IRQ allocation failures.

Affected Products

  • Linux kernel with Octeon EP VF network driver (octeon_ep_vf)
  • Systems using Marvell/Cavium Octeon network adapters in virtual function mode
  • Kernel configurations with CONFIG_OCTEON_EP_VF enabled

Discovery Timeline

  • 2026-01-25 - CVE CVE-2026-23013 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2026-23013

Vulnerability Analysis

The vulnerability resides in the error handling path of the octep_vf_request_irqs() function within the Octeon EP VF driver. When allocating MSI-X interrupts for network queue vectors, the driver passes ioq_vector as the dev_id parameter to request_irq(). This dev_id serves as a unique identifier that must be consistent between request_irq() and free_irq() calls.

If any request_irq() call fails during the allocation loop, the driver attempts to roll back previously allocated IRQs. However, the rollback code incorrectly uses oct (the main device structure) as the dev_id parameter instead of the ioq_vector that was originally used. Since free_irq() relies on dev_id matching to properly identify and remove the IRQ handler, this mismatch causes the cleanup to fail silently, leaving IRQ handlers registered.

The consequence is particularly severe: when the driver unwinds and frees the ioq_vector structures, the still-registered interrupt handlers maintain stale pointers. Any subsequent interrupt delivery triggers a use-after-free condition as the handler attempts to access the freed ioq_vector memory, potentially causing kernel memory corruption or a system panic.

Root Cause

The root cause is an inconsistent use of the dev_id parameter between the IRQ request and free operations in the error handling path. The original code passed ioq_vector to request_irq() but erroneously passed oct to free_irq() during rollback, violating the Linux kernel's IRQ management contract that requires matching dev_id values.

Attack Vector

The attack vector for this vulnerability is local and requires the ability to trigger conditions that cause request_irq() to fail during driver initialization or reconfiguration. This could potentially be achieved through:

  • Resource exhaustion attacks depleting available IRQ vectors
  • Manipulating system state to cause IRQ allocation failures
  • Triggering driver reinitialization under constrained conditions

Once triggered, an attacker who can control timing or inject interrupts could potentially exploit the use-after-free condition for privilege escalation or arbitrary code execution within kernel context.

The vulnerability mechanism involves the following sequence:

  1. Driver calls octep_vf_request_irqs() to allocate MSI-X interrupts
  2. Multiple request_irq() calls succeed, registering handlers with ioq_vector as dev_id
  3. A subsequent request_irq() fails, triggering the error path
  4. Rollback loop calls free_irq() with incorrect dev_id (oct instead of ioq_vector)
  5. IRQ handlers remain registered but ioq_vector structures are freed
  6. Interrupt delivery causes use-after-free when handlers access freed memory

For technical implementation details, see the kernel git commit fix.

Detection Methods for CVE-2026-23013

Indicators of Compromise

  • Kernel panic messages referencing octeon_ep_vf driver or octep_vf functions
  • KASAN (Kernel Address Sanitizer) reports showing use-after-free in IRQ handler context
  • Unexpected system crashes during network driver initialization or teardown
  • Kernel log entries showing IRQ allocation failures followed by use-after-free warnings

Detection Strategies

  • Enable CONFIG_KASAN in kernel builds to detect use-after-free conditions at runtime
  • Monitor kernel logs for messages related to octep_vf_request_irqs failures
  • Implement kernel tracing on IRQ allocation and deallocation for the octeon_ep_vf driver
  • Deploy runtime kernel integrity monitoring to detect memory corruption patterns

Monitoring Recommendations

  • Configure alerting on kernel panic events involving network driver subsystems
  • Establish baseline monitoring for IRQ allocation patterns on systems with Octeon adapters
  • Enable kernel crash dump collection for forensic analysis of exploitation attempts
  • Monitor for unusual patterns of driver reinitialization or network interface flapping

How to Mitigate CVE-2026-23013

Immediate Actions Required

  • Update to a patched Linux kernel version containing the fix commit
  • Avoid using Octeon EP VF network driver on untrusted or multi-tenant systems until patched
  • If unable to patch immediately, consider disabling the octeon_ep_vf module
  • Review system configurations for alternative network driver options if applicable

Patch Information

The fix ensures that the error path in octep_vf_request_irqs() uses the correct ioq_vector as the dev_id parameter when calling free_irq() during rollback, maintaining consistency with the original request_irq() calls.

The following kernel commits address this vulnerability:

  • Kernel Git Commit Fix
  • Kernel Git Commit Update
  • Kernel Git Commit Change

Workarounds

  • Blacklist the octeon_ep_vf kernel module if not required for system operation
  • Use physical function drivers instead of virtual function drivers where possible
  • Implement kernel lockdown policies to reduce attack surface
  • Apply kernel hardening options such as CONFIG_HARDENED_USERCOPY and stack protection
bash
# Disable octeon_ep_vf module if not required
echo "blacklist octeon_ep_vf" >> /etc/modprobe.d/blacklist-octeon.conf
update-initramfs -u

# Verify module is not loaded
lsmod | grep octeon_ep_vf

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit Update
  • Kernel Git Commit Fix
  • Kernel Git Commit Change
  • Related CVEs
  • CVE-2026-23462: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23458: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23435: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23456: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English