CVE-2026-23284 Overview
A vulnerability has been identified in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc) within the mtk_xdp_setup() function. The issue occurs when the mtk_open routine fails during XDP (eXpress Data Path) setup, causing improper handling of eBPF program pointers. Specifically, if an error occurs, the code fails to reset the eBPF program pointer back to old_prog and incorrectly decreases its reference count, potentially leading to memory corruption or use-after-free conditions.
Critical Impact
Improper eBPF program pointer handling in the Linux kernel's MediaTek Ethernet driver may lead to memory corruption, reference count issues, or potential denial of service conditions.
Affected Products
- Linux kernel (MediaTek Ethernet driver mtk_eth_soc)
- Systems utilizing MediaTek network hardware with XDP/eBPF functionality
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23284 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23284
Vulnerability Analysis
This vulnerability exists in the Linux kernel's MediaTek Ethernet System-on-Chip driver, specifically within the XDP setup routine. The mtk_xdp_setup() function is responsible for configuring eBPF programs for high-performance packet processing on MediaTek network interfaces.
When the mtk_open routine is called during XDP configuration and fails, the error handling path does not properly restore the eBPF program pointer to its previous state (old_prog). Additionally, the reference count for the program is incorrectly decremented even though the setup failed. This creates a dangerous state where:
- The program pointer may reference an invalid or released memory location
- The reference count becomes inconsistent with the actual number of references
- Subsequent operations on the program pointer could trigger use-after-free conditions
The vulnerability affects the kernel's networking subsystem and could be triggered during normal network interface operations when XDP programs are being attached or reconfigured on MediaTek Ethernet adapters.
Root Cause
The root cause is an error handling deficiency in the mtk_xdp_setup() function. When mtk_open fails, the function should reset the program pointer to old_prog and avoid modifying the reference count since the new program was not successfully installed. The missing cleanup logic creates an inconsistent state between the program pointer and its reference count.
Attack Vector
The vulnerability requires local access to the system with sufficient privileges to configure XDP/eBPF programs on network interfaces. An attacker could potentially trigger the vulnerable code path by:
- Attaching an XDP program to a MediaTek Ethernet interface
- Triggering a failure condition in mtk_open during the setup process
- Exploiting the resulting memory corruption or reference count issues
While direct remote exploitation is unlikely, the vulnerability could be leveraged as part of a privilege escalation chain or to cause denial of service conditions on affected systems.
Detection Methods for CVE-2026-23284
Indicators of Compromise
- Kernel panic or system crashes related to mtk_eth_soc or XDP subsystem
- Unexpected reference count warnings in kernel logs for eBPF programs
- Memory corruption symptoms when using MediaTek Ethernet interfaces with XDP
Detection Strategies
- Monitor kernel logs for warnings or errors related to mtk_xdp_setup, mtk_open, or eBPF reference count operations
- Implement kernel tracing (ftrace/eBPF) to monitor XDP program attachment and error conditions on MediaTek interfaces
- Use kernel memory debugging tools (KASAN, KMEMLEAK) to detect memory corruption or use-after-free conditions
Monitoring Recommendations
- Enable kernel logging verbosity for networking and eBPF subsystems
- Deploy endpoint detection to monitor for abnormal kernel behavior or crashes
- Review system stability on servers using MediaTek Ethernet hardware with XDP configurations
How to Mitigate CVE-2026-23284
Immediate Actions Required
- Apply the latest stable kernel updates that include the fix for this vulnerability
- Review systems using MediaTek Ethernet hardware to identify potentially affected deployments
- If patching is not immediately possible, consider disabling XDP functionality on MediaTek interfaces as a temporary measure
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that when mtk_open fails in mtk_xdp_setup(), the eBPF program pointer is correctly reset to old_prog and the reference count is not decremented. Multiple stable kernel branches have received backported fixes:
- Kernel Git Commit 0abc73c
- Kernel Git Commit 29629dd
- Kernel Git Commit 6f95b59
- Kernel Git Commit 8c2d76a
- Kernel Git Commit b73dfe1
- Kernel Git Commit ff14cd44
Workarounds
- Temporarily disable XDP/eBPF program attachment on affected MediaTek Ethernet interfaces
- Restrict access to eBPF capabilities using kernel security parameters or unprivileged eBPF restrictions
- Monitor systems for stability issues while awaiting kernel updates
# Restrict unprivileged eBPF (reduces attack surface)
sysctl -w kernel.unprivileged_bpf_disabled=1
# Make persistent
echo "kernel.unprivileged_bpf_disabled=1" >> /etc/sysctl.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
