CVE-2026-23087 Overview
A memory leak vulnerability has been identified in the Linux kernel's Xen SCSI backend driver (scsiback). The vulnerability exists in the scsiback_remove() function, where memory allocated for struct vscsiblk_info during scsiback_probe() is not properly freed. This results in memory leaks when the device is removed or when error paths are triggered during the probe phase.
Critical Impact
Repeated exploitation of this memory leak could lead to kernel memory exhaustion, potentially causing system instability or denial of service conditions on Xen virtualized environments.
Affected Products
- Linux Kernel (multiple versions with Xen SCSI backend support)
- Xen hypervisor environments using SCSI passthrough
- Systems utilizing the xen-scsiback driver module
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23087 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23087
Vulnerability Analysis
This vulnerability is a classic memory leak in kernel driver code. The scsiback_probe() function allocates memory for struct vscsiblk_info to store device-specific information for the Xen SCSI backend. However, the corresponding cleanup function scsiback_remove() fails to deallocate this memory structure when the device is removed from the system.
The memory leak affects two code paths: the normal device removal path through scsiback_remove() and the error handling paths within scsiback_probe() itself. When either of these paths is executed without proper memory cleanup, the allocated vscsiblk_info structure becomes unreachable, leading to memory leakage.
In virtualized environments where devices may be frequently attached and detached, this vulnerability can compound over time, gradually consuming available kernel memory until the system becomes unstable or unresponsive.
Root Cause
The root cause is missing deallocation logic in the scsiback_remove() function. When the driver was originally implemented, the kfree() call to release the struct vscsiblk_info memory was not included in the removal function. Additionally, the error handling paths in scsiback_probe() did not properly clean up the allocated structure before returning failure codes.
Attack Vector
The attack vector for this vulnerability is limited to local exploitation scenarios where an attacker has the ability to repeatedly trigger device probe and removal operations. On systems running Xen with SCSI backend support, an attacker with sufficient privileges in a guest VM or with local access to the hypervisor management interfaces could potentially exploit this by repeatedly adding and removing SCSI devices to exhaust kernel memory over time.
The vulnerability requires local access and the ability to manipulate device configurations, making it more suitable for denial of service attacks rather than privilege escalation or code execution.
Detection Methods for CVE-2026-23087
Indicators of Compromise
- Gradual increase in kernel memory usage over time without corresponding workload increase
- Memory allocation failures in kernel logs related to SCSI or Xen subsystems
- System instability or slowdowns on Xen-based virtualized systems with frequent SCSI device operations
- Kernel OOM (Out of Memory) killer activations on systems with Xen SCSI backend enabled
Detection Strategies
- Monitor kernel memory usage trends using tools like /proc/meminfo and slabtop to detect gradual memory consumption
- Implement kernel memory leak detection using KMEMLEAK debugging facility when available
- Review system logs for Xen SCSI backend related errors or warnings during device removal operations
- Use ftrace or perf to monitor scsiback_probe() and scsiback_remove() function calls and correlate with memory allocation patterns
Monitoring Recommendations
- Configure alerting for sustained growth in kernel slab allocations on Xen hosts
- Monitor /sys/kernel/debug/kmemleak for unreferenced memory objects when debugging is enabled
- Track SCSI device attach/detach events in conjunction with memory metrics
- Implement baseline memory profiling for Xen hypervisor hosts to detect anomalous consumption
How to Mitigate CVE-2026-23087
Immediate Actions Required
- Apply the appropriate kernel patch for your distribution immediately
- If patching is not immediately possible, consider disabling or unloading the xen-scsiback module if not required
- Monitor affected systems for memory exhaustion symptoms until patches can be applied
- Limit SCSI device configuration changes on affected systems to reduce exposure
Patch Information
The Linux kernel maintainers have released patches to address this memory leak. The fix adds proper kfree() calls in scsiback_remove() to deallocate the vscsiblk_info structure, and ensures error paths in scsiback_probe() properly clean up allocated memory before returning.
Patches are available through the stable kernel tree:
- Kernel Git Commit 24c441f0
- Kernel Git Commit 32e52b56
- Kernel Git Commit 901a5f30
- Kernel Git Commit f86264ec
Workarounds
- Unload the xen-scsiback kernel module using modprobe -r xen-scsiback if SCSI passthrough functionality is not required
- Blacklist the module by adding blacklist xen-scsiback to /etc/modprobe.d/blacklist.conf to prevent automatic loading
- Minimize SCSI device add/remove operations on affected systems until patches are applied
- Implement periodic system reboots as a temporary measure to reclaim leaked memory on critical systems
# Temporary workaround: Unload the vulnerable module if not in use
lsmod | grep xen_scsiback
modprobe -r xen-scsiback
# Prevent automatic loading
echo "blacklist xen-scsiback" >> /etc/modprobe.d/blacklist-xen-scsiback.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
