The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23030

CVE-2026-23030: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23030 is a use-after-free flaw in the Linux kernel's Rockchip USB2 PHY driver that causes a double free bug. This article covers the technical details, affected versions, security impact, and mitigation.

Published: February 6, 2026

CVE-2026-23030 Overview

CVE-2026-23030 is a Double Free vulnerability in the Linux kernel's Rockchip USB2 PHY driver (inno-usb2). The vulnerability exists in the rockchip_usb2phy_probe() function where improper memory management leads to a double free condition when the for_each_available_child_of_node() macro is used in conjunction with error handling paths.

The for_each_available_child_of_node() macro calls of_node_put() to release child_np in each successful loop iteration. When breaking from the loop after the child node has already been released, the code jumps to the put_child label which calls of_node_put() again if devm_request_threaded_irq() fails, resulting in a double free condition.

Critical Impact

This double free vulnerability in the Linux kernel's USB PHY driver could potentially be exploited to cause memory corruption, system instability, or denial of service on systems using Rockchip SoCs with the inno-usb2 driver.

Affected Products

  • Linux kernel with Rockchip inno-usb2 PHY driver enabled
  • Systems using Rockchip SoCs with USB2 PHY functionality
  • Embedded devices and SBCs running affected kernel versions

Discovery Timeline

  • 2026-01-31 - CVE CVE-2026-23030 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-23030

Vulnerability Analysis

This vulnerability represents a classic double free bug pattern that occurs during device probing in the Linux kernel's PHY subsystem. The issue stems from improper reference counting management of device tree nodes within the Rockchip USB2 PHY driver.

The for_each_available_child_of_node() macro is a common pattern in Linux kernel drivers for iterating over device tree child nodes. This macro internally manages reference counts by calling of_node_put() on the previous node before moving to the next iteration. The problem arises when an error occurs during iteration that causes a premature break from the loop.

When the devm_request_threaded_irq() function fails, the driver's error handling path jumps to the put_child label. At this point, the child node reference may have already been decremented by the macro, causing a subsequent explicit of_node_put() call to decrement the reference count below zero—a double free condition.

Double free vulnerabilities in kernel code are particularly dangerous as they can corrupt kernel memory allocator metadata, potentially leading to use-after-free conditions, kernel panics, or exploitable memory corruption scenarios.

Root Cause

The root cause is improper coordination between the automatic reference counting performed by the for_each_available_child_of_node() macro and the manual error handling cleanup code in rockchip_usb2phy_probe(). The error handling path at the put_child label unconditionally calls of_node_put() without accounting for whether the reference was already released by the iteration macro.

The fix addresses this by returning directly from the error path instead of jumping to the cleanup label, thus avoiding the duplicate of_node_put() call.

Attack Vector

The attack vector for this vulnerability is local in nature, as it requires interaction with the USB PHY driver during device probing. Exploitation would typically require:

  1. A system running the affected Linux kernel with the Rockchip inno-usb2 driver
  2. The ability to trigger device probing scenarios that cause devm_request_threaded_irq() to fail
  3. Timing conditions that lead to the double free occurring in a exploitable manner

While exploitation complexity may be high due to the specific conditions required, double free vulnerabilities in kernel code should be treated seriously as they can potentially be leveraged for privilege escalation or denial of service.

Detection Methods for CVE-2026-23030

Indicators of Compromise

  • Kernel panic or oops messages referencing the rockchip_usb2phy_probe function
  • Memory corruption errors in kernel logs related to the USB PHY subsystem
  • Unexpected system crashes during USB device enumeration on Rockchip platforms
  • KASAN (Kernel Address Sanitizer) reports indicating double free in of_node_put()

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) to detect double free conditions at runtime
  • Monitor kernel logs for memory allocation errors or warnings from the PHY subsystem
  • Deploy kernel tracing (ftrace) on of_node_put() calls to identify abnormal reference counting
  • Use SentinelOne Singularity to monitor for kernel-level memory corruption indicators

Monitoring Recommendations

  • Configure syslog monitoring for kernel oops and panic messages
  • Enable CONFIG_DEBUG_KOBJECT_RELEASE in debug kernels to catch reference counting issues
  • Monitor for unexpected USB subsystem failures on affected Rockchip platforms
  • Implement automated alerting for kernel crash dump collection and analysis

How to Mitigate CVE-2026-23030

Immediate Actions Required

  • Update to a patched Linux kernel version containing the fix
  • Review and audit other device tree iteration code for similar patterns
  • Enable kernel debugging options on development systems to catch similar issues
  • Apply vendor-supplied patches for Rockchip platform BSPs if available

Patch Information

The vulnerability has been resolved through multiple kernel commits. The fix modifies the error handling path to return directly instead of jumping to the cleanup label, preventing the duplicate of_node_put() call.

Official patches are available through the kernel stable tree:

  • Kernel Commit Update
  • Kernel Commit Change
  • Kernel Commit Modification
  • Kernel Commit Fix

Workarounds

  • If patching is not immediately possible, consider disabling the inno-usb2 PHY driver if USB functionality is not required
  • Use kernel live patching (kpatch/livepatch) to apply the fix without rebooting if available for your distribution
  • Implement additional monitoring for kernel memory corruption on affected systems
  • Restrict local access to the system to reduce the attack surface for exploitation
bash
# Check if the vulnerable driver is loaded
lsmod | grep phy_rockchip_inno_usb2

# View kernel version to verify if patched
uname -r

# Check kernel config for driver status
zcat /proc/config.gz | grep CONFIG_PHY_ROCKCHIP_INNO_USB2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Commit Update
  • Kernel Commit Change
  • Kernel Commit Modification
  • Kernel Commit Fix
  • Related CVEs
  • CVE-2026-23462: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23458: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23435: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23456: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English