Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23164

CVE-2026-23164: Linux Kernel Rocker Memory Leak Flaw

CVE-2026-23164 is a memory leak flaw in the Linux kernel's rocker driver that causes memory to leak during port removal. This article covers the technical details, affected versions, impact, and mitigation steps.

Published: February 20, 2026

CVE-2026-23164 Overview

CVE-2026-23164 is a Memory Leak vulnerability in the Linux kernel's rocker network driver. The vulnerability exists in the rocker_world_port_post_fini() function, where memory allocated for port private data (rocker_port->wpriv) is not properly freed when ports are removed. This occurs specifically because the rocker_ofdpa_ops implementation does not set the port_post_fini callback, causing the conditional memory deallocation logic to skip the kfree() call entirely.

Critical Impact

Memory leak of sizeof(struct ofdpa_port) bytes per port on every device removal, potentially leading to kernel memory exhaustion on systems with frequent device operations.

Affected Products

  • Linux kernel (rocker network driver)
  • Systems using OpenFlow Data Plane Abstraction (OFDPA) with rocker devices
  • Linux-based network infrastructure utilizing rocker virtual switches

Discovery Timeline

  • 2026-02-14 - CVE CVE-2026-23164 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23164

Vulnerability Analysis

The vulnerability resides in the rocker network switch driver's port finalization logic. During port initialization in rocker_world_port_pre_init(), the driver allocates memory for port-specific private data using kzalloc(wops->port_priv_size, GFP_KERNEL) and stores the pointer in rocker_port->wpriv.

The problematic code path in rocker_world_port_post_fini() only frees this allocated memory when the wops->port_post_fini callback is defined. The implementation uses a guard clause that returns early when no callback exists, bypassing the subsequent kfree() operation entirely.

Since rocker_ofdpa_ops does not implement the port_post_fini callback (it is NULL), ports using the OFDPA operations table will leak memory every time they are removed. Each leak amounts to sizeof(struct ofdpa_port) bytes, which can accumulate significantly on systems with dynamic port operations or frequent device hot-plugging.

Root Cause

The root cause is a logic error in the memory deallocation code path. The kfree(rocker_port->wpriv) call is placed inside a conditional block that depends on the existence of an optional callback function. When this callback is not implemented (as is the case with rocker_ofdpa_ops), the function returns early without releasing the allocated memory.

The flawed logic pattern:

if (!wops->port_post_fini)
    return;
wops->port_post_fini(rocker_port);
kfree(rocker_port->wpriv);

The fix ensures kfree(rocker_port->wpriv) is always called regardless of whether the port_post_fini callback exists, separating the optional callback invocation from the mandatory memory cleanup.

Attack Vector

This is a kernel memory leak vulnerability with local impact. While not directly exploitable for code execution, the vulnerability can be triggered through:

  • Normal device removal operations
  • Hot-plugging rocker network devices
  • Virtual network infrastructure management operations

Repeated triggering could lead to kernel memory exhaustion, potentially causing system instability or denial of service conditions on long-running systems.

Detection Methods for CVE-2026-23164

Indicators of Compromise

  • Gradual increase in kernel memory usage (slab allocations) on systems using rocker network devices
  • Memory pressure warnings in kernel logs after repeated network device operations
  • Unexplained memory consumption growth in systems running virtual network infrastructure

Detection Strategies

  • Monitor /proc/meminfo and /proc/slabinfo for abnormal memory growth patterns
  • Use kernel memory debugging tools like kmemleak to detect unreleased allocations in the rocker driver
  • Track slab allocator statistics for kmalloc-* caches associated with the ofdpa_port structure size

Monitoring Recommendations

  • Implement alerting on sustained kernel memory growth without corresponding workload increase
  • Monitor for OOM killer activations on systems with rocker network configurations
  • Review kernel debug logs for memory allocation patterns in the rocker subsystem

How to Mitigate CVE-2026-23164

Immediate Actions Required

  • Update to a patched Linux kernel version that includes the fix
  • Minimize device hot-plug operations on affected systems until patched
  • Monitor memory usage on systems using rocker network devices and schedule proactive reboots if memory pressure is observed

Patch Information

The vulnerability has been resolved in the Linux kernel. Multiple stable kernel branches have received patches. The fix modifies rocker_world_port_post_fini() to always call kfree(rocker_port->wpriv) regardless of whether the port_post_fini callback is set.

Patch commits are available:

  • Kernel Git Commit d448bf96889f
  • Kernel Git Commit 2a3a64d75d2d
  • Kernel Git Commit 8ce2e8588993
  • Kernel Git Commit 8d7ba71e4621
  • Kernel Git Commit b11e6f926480
  • Kernel Git Commit d8723917efda
  • Kernel Git Commit dce375f4afc3

Workarounds

  • If the rocker driver is not required, consider blacklisting the module to prevent loading
  • Implement scheduled system reboots to clear accumulated leaked memory on production systems
  • Use cgroups memory limits to constrain kernel memory consumption impact
bash
# Blacklist rocker module if not required
echo "blacklist rocker" >> /etc/modprobe.d/blacklist.conf
# Verify module is not loaded
lsmod | grep rocker

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Kernel Git Commit
  • Related CVEs
  • CVE-2026-31439: Linux Kernel XDMA Error Handling Flaw
  • CVE-2026-31441: Linux Kernel Memory Leak Vulnerability
  • CVE-2026-31434: Linux Kernel Memory Leak Vulnerability
  • CVE-2026-31435: Linux Kernel Read Abandonment Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English