CVE-2026-23032 Overview
A memory leak vulnerability has been identified in the Linux kernel's null_blk driver when CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled. The vulnerability occurs because the driver fails to release references to fault-config configfs items (timeout_inject, requeue_inject, and init_hctx_fault_inject) when a nullbX device is removed. This results in unreferenced memory objects that are detected by kmemleak.
Critical Impact
Systems running the affected Linux kernel with null_blk fault injection enabled may experience gradual memory exhaustion due to leaked configfs item references, potentially leading to system instability or denial of service conditions.
Affected Products
- Linux kernel with CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION enabled
- Systems using null_blk driver for testing and fault injection purposes
Discovery Timeline
- 2026-01-31 - CVE-2026-23032 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23032
Vulnerability Analysis
This vulnerability exists within the null_blk driver's fault injection subsystem. When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the driver creates configfs items as children of the top-level nullbX configfs group for fault injection purposes. These include timeout_inject, requeue_inject, and init_hctx_fault_inject items.
The core issue is a reference counting error in the cleanup path. When a nullbX device is removed from the system, the driver properly handles most cleanup operations but neglects to release the references taken to the fault-config configfs items. This omission causes kmemleak to report memory leaks as the memory allocated for these items becomes unreferenced but never freed.
Root Cause
The root cause is improper resource cleanup in the null_blk driver's device removal path. Specifically, the driver acquires references to fault-config configfs items during device initialization but fails to implement corresponding release operations when the device is destroyed. This violates proper reference counting semantics in the Linux kernel.
Attack Vector
This is a local vulnerability requiring kernel configuration changes. The memory leak occurs through normal device operations when creating and removing null_blk devices with fault injection support enabled. While not directly exploitable for privilege escalation, repeated device creation and removal cycles could be used to exhaust system memory, leading to denial of service conditions.
The kmemleak backtrace from the CVE shows the allocation path:
- __kmalloc_node_track_caller_noprof allocates memory
- kvasprintf creates the string
- config_item_set_name sets the configfs item name
- config_group_init_type_name initializes the group
- fault_config_init performs fault injection setup
The fix requires explicitly releasing these references when dropping the reference to the top-level nullbX configfs group.
Detection Methods for CVE-2026-23032
Indicators of Compromise
- kmemleak reports showing unreferenced objects related to init_hctx_fault_inject, timeout_inject, or requeue_inject
- Gradual increase in kernel memory usage on systems using null_blk with fault injection
- Memory allocation failures after extended periods of null_blk device creation/removal operations
Detection Strategies
- Enable kmemleak (CONFIG_DEBUG_KMEMLEAK) to detect unreferenced memory objects
- Monitor /sys/kernel/debug/kmemleak for entries containing null_blk fault injection item names
- Review kernel logs for memory pressure warnings on systems actively using null_blk fault injection
Monitoring Recommendations
- Implement memory monitoring on systems using null_blk driver with fault injection enabled
- Set up alerts for kmemleak warnings containing init_hctx_fault, timeout_inject, or requeue_inject strings
- Monitor kernel memory consumption trends to identify gradual memory leaks
How to Mitigate CVE-2026-23032
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- If immediate patching is not possible, consider disabling CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION if fault injection is not required
- Limit the frequency of null_blk device creation and removal operations until patched
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix ensures proper release of references to fault-config configfs items when the top-level nullbX configfs group is dropped. Patches are available in the following commits:
- Kernel Git Commit 1a3286edf4d4
- Kernel Git Commit 40b94ec7edbb
- Kernel Git Commit d59ba448ccd5
- Kernel Git Commit f1718da05128
Workarounds
- Disable CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION in kernel configuration if fault injection functionality is not needed
- Avoid frequent creation and removal of null_blk devices until the kernel is patched
- Monitor system memory and schedule periodic reboots if memory pressure becomes problematic
# Check if null_blk fault injection is enabled
zcat /proc/config.gz | grep CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION
# To disable, rebuild kernel with:
# CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION=n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
