CVE-2026-23046 Overview
CVE-2026-23046 is a memory management vulnerability in the Linux kernel's virtio_net driver where a device mismatch occurs between memory allocation and deallocation operations. The vulnerability exists in the RSS (Receive Side Scaling) header allocation mechanism, where the initial allocation uses virtio_device->device but the subsequent deallocation in virtnet_set_queues() incorrectly uses net_device->device, triggering devres (device resource management) warnings and potential memory management issues.
Critical Impact
This device mismatch in the Linux kernel's virtio_net driver can cause kernel warnings and potentially lead to memory management inconsistencies in virtualized network environments, affecting system stability and reliability.
Affected Products
- Linux Kernel with virtio_net driver
- Systems using virtio_vdpa and vDPA (vhost Data Path Acceleration)
- Marvell CN106XX and similar hardware platforms with vDPA support
Discovery Timeline
- February 4, 2026 - CVE-2026-23046 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23046
Vulnerability Analysis
This vulnerability stems from inconsistent device context usage in the Linux kernel's managed device resource (devres) framework within the virtio_net driver. The devres subsystem tracks memory allocations tied to specific device structures, ensuring automatic cleanup when devices are removed. When devm_kzalloc() allocates memory using one device context (virtio_device->device) but devm_kfree() attempts to release it using a different device context (net_device->device), the devres framework cannot locate the allocation in its tracking structures, resulting in the observed warning at drivers/base/devres.c:1095.
The kernel warning indicates the mismatch occurs specifically during the virtnet_set_queues() function execution, called during device probing via the virtnet_probe() path. This affects systems utilizing vDPA (vhost Data Path Acceleration) technology, including configurations with octep_vdpa, virtio_vdpa, and virtio_net modules.
Root Cause
The root cause is the inconsistent use of device pointers between allocation and deallocation paths in the virtio_net driver's RSS header management. The initial rss_hdr allocation is performed using the virtio device's underlying device structure, while the cleanup path in virtnet_set_queues() erroneously references the network device's device structure. Since these are distinct device objects in the kernel's device model, the devres tracking mechanism cannot correlate the free operation with the original allocation.
Attack Vector
This vulnerability is triggered through normal device probing operations when the virtio_net driver initializes on vDPA-enabled systems. The call trace indicates the issue manifests during:
- vDPA device registration via _vdpa_register_device()
- virtio device probing through virtio_dev_probe()
- Network interface initialization in virtnet_probe()
- Queue configuration in virtnet_set_queues() where the mismatched devm_kfree() occurs
While this vulnerability does not appear to be remotely exploitable, it can cause system instability and kernel warnings during normal virtualized network operations. The vulnerability is triggered through the netlink interface (netlink_sendmsg) when adding vDPA devices via the vdpa_nl_cmd_dev_add_set_doit() handler.
Detection Methods for CVE-2026-23046
Indicators of Compromise
- Kernel warning messages containing WARNING: drivers/base/devres.c:1095 at devm_kfree in system logs
- Stack traces showing virtnet_set_queues and virtnet_probe in call chains
- Warning messages referencing virtio_net, virtio_vdpa, or octep_vdpa modules
- Kernel taint flag [W]=WARN appearing in dmesg output
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for devres warnings during vDPA device operations
- Implement kernel log parsing rules to detect devm_kfree warnings with virtio_net module references
- Use SentinelOne's Singularity platform to monitor for kernel-level anomalies and warning patterns
- Create alerts for systems running affected kernel versions with virtio_net and vDPA modules loaded
Monitoring Recommendations
- Enable enhanced kernel logging for device resource management operations
- Monitor module loading events for virtio_net, virtio_vdpa, and octep_vdpa combinations
- Track system stability metrics on virtualized hosts using vDPA networking
- Implement automated alerting for kernel warning patterns matching the CVE signature
How to Mitigate CVE-2026-23046
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches
- Review systems using vDPA networking configurations for potential exposure
- Monitor affected systems for kernel warnings until patches can be deployed
- Consider temporarily avoiding vDPA device additions on production systems until patched
Patch Information
The fix ensures consistent use of virtio_device->device for both allocation and deallocation operations in the virtio_net driver. Official patches are available through the Linux kernel stable tree:
Apply these patches by updating to a kernel version that includes these commits, or by backporting the changes to your current kernel version.
Workarounds
- Avoid dynamic vDPA device addition/removal operations until the kernel is patched
- Use alternative networking configurations that do not rely on virtio_vdpa if possible
- Implement additional system monitoring to detect and alert on kernel warnings
- Schedule maintenance windows to apply kernel updates on affected virtualized infrastructure
# Check for loaded affected modules
lsmod | grep -E "(virtio_net|virtio_vdpa|octep_vdpa)"
# Monitor kernel logs for devres warnings
dmesg -w | grep -i "devm_kfree\|devres"
# Check current kernel version
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
