CVE-2026-23164 Overview
CVE-2026-23164 is a Memory Leak vulnerability in the Linux kernel's rocker network driver. The vulnerability exists in the rocker_world_port_post_fini() function, where memory allocated for port private data (rocker_port->wpriv) is not properly freed when ports are removed. This occurs specifically because the rocker_ofdpa_ops implementation does not set the port_post_fini callback, causing the conditional memory deallocation logic to skip the kfree() call entirely.
Critical Impact
Memory leak of sizeof(struct ofdpa_port) bytes per port on every device removal, potentially leading to kernel memory exhaustion on systems with frequent device operations.
Affected Products
- Linux kernel (rocker network driver)
- Systems using OpenFlow Data Plane Abstraction (OFDPA) with rocker devices
- Linux-based network infrastructure utilizing rocker virtual switches
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23164 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23164
Vulnerability Analysis
The vulnerability resides in the rocker network switch driver's port finalization logic. During port initialization in rocker_world_port_pre_init(), the driver allocates memory for port-specific private data using kzalloc(wops->port_priv_size, GFP_KERNEL) and stores the pointer in rocker_port->wpriv.
The problematic code path in rocker_world_port_post_fini() only frees this allocated memory when the wops->port_post_fini callback is defined. The implementation uses a guard clause that returns early when no callback exists, bypassing the subsequent kfree() operation entirely.
Since rocker_ofdpa_ops does not implement the port_post_fini callback (it is NULL), ports using the OFDPA operations table will leak memory every time they are removed. Each leak amounts to sizeof(struct ofdpa_port) bytes, which can accumulate significantly on systems with dynamic port operations or frequent device hot-plugging.
Root Cause
The root cause is a logic error in the memory deallocation code path. The kfree(rocker_port->wpriv) call is placed inside a conditional block that depends on the existence of an optional callback function. When this callback is not implemented (as is the case with rocker_ofdpa_ops), the function returns early without releasing the allocated memory.
The flawed logic pattern:
if (!wops->port_post_fini)
return;
wops->port_post_fini(rocker_port);
kfree(rocker_port->wpriv);
The fix ensures kfree(rocker_port->wpriv) is always called regardless of whether the port_post_fini callback exists, separating the optional callback invocation from the mandatory memory cleanup.
Attack Vector
This is a kernel memory leak vulnerability with local impact. While not directly exploitable for code execution, the vulnerability can be triggered through:
- Normal device removal operations
- Hot-plugging rocker network devices
- Virtual network infrastructure management operations
Repeated triggering could lead to kernel memory exhaustion, potentially causing system instability or denial of service conditions on long-running systems.
Detection Methods for CVE-2026-23164
Indicators of Compromise
- Gradual increase in kernel memory usage (slab allocations) on systems using rocker network devices
- Memory pressure warnings in kernel logs after repeated network device operations
- Unexplained memory consumption growth in systems running virtual network infrastructure
Detection Strategies
- Monitor /proc/meminfo and /proc/slabinfo for abnormal memory growth patterns
- Use kernel memory debugging tools like kmemleak to detect unreleased allocations in the rocker driver
- Track slab allocator statistics for kmalloc-* caches associated with the ofdpa_port structure size
Monitoring Recommendations
- Implement alerting on sustained kernel memory growth without corresponding workload increase
- Monitor for OOM killer activations on systems with rocker network configurations
- Review kernel debug logs for memory allocation patterns in the rocker subsystem
How to Mitigate CVE-2026-23164
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix
- Minimize device hot-plug operations on affected systems until patched
- Monitor memory usage on systems using rocker network devices and schedule proactive reboots if memory pressure is observed
Patch Information
The vulnerability has been resolved in the Linux kernel. Multiple stable kernel branches have received patches. The fix modifies rocker_world_port_post_fini() to always call kfree(rocker_port->wpriv) regardless of whether the port_post_fini callback is set.
Patch commits are available:
- Kernel Git Commit d448bf96889f
- Kernel Git Commit 2a3a64d75d2d
- Kernel Git Commit 8ce2e8588993
- Kernel Git Commit 8d7ba71e4621
- Kernel Git Commit b11e6f926480
- Kernel Git Commit d8723917efda
- Kernel Git Commit dce375f4afc3
Workarounds
- If the rocker driver is not required, consider blacklisting the module to prevent loading
- Implement scheduled system reboots to clear accumulated leaked memory on production systems
- Use cgroups memory limits to constrain kernel memory consumption impact
# Blacklist rocker module if not required
echo "blacklist rocker" >> /etc/modprobe.d/blacklist.conf
# Verify module is not loaded
lsmod | grep rocker
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
