The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23326

CVE-2026-23326: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-23326 is a buffer overflow vulnerability in the Linux kernel's XSK fragment node deletion mechanism that causes memory buffer leaks. This article covers technical details, affected versions, and mitigation.

Published: March 27, 2026

CVE-2026-23326 Overview

A memory leak vulnerability exists in the Linux kernel's XSK (AF_XDP socket) subsystem due to improper fragment node deletion in the buffer management code. The vulnerability was introduced after commit b692bf9a7543 which reused the list_node field for both the xskb pool list and the buffer free list. When buffers are removed from the xskb pool list using list_del(), the node pointers are not reinitialized, causing list_empty() checks to incorrectly return false. This results in xp_free() skipping the addition of buffers to the free list, leading to a gradual memory leak that can impact system stability over time.

Critical Impact

Sustained exploitation of this memory leak can lead to kernel memory exhaustion, potentially causing system instability or denial of service on systems utilizing AF_XDP sockets for high-performance network packet processing.

Affected Products

  • Linux Kernel (versions with commit b692bf9a7543 applied)
  • Systems utilizing AF_XDP sockets for network packet processing
  • Network appliances and servers with XDP-enabled network configurations

Discovery Timeline

  • 2026-03-25 - CVE CVE-2026-23326 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-23326

Vulnerability Analysis

The vulnerability stems from a code change in the XSK subsystem that consolidated the use of the list_node field within the xdp_buff_xsk structure. Prior to commit b692bf9a7543, separate list nodes were maintained for the xskb pool list and the buffer free list. After the consolidation, a single list_node field serves dual purposes, creating a conflict in how list membership is tracked.

The core issue lies in the xp_free() function's use of list_empty(&xskb->list_node) to determine whether a buffer should be added to the free list. When list_del() is called to remove a node from the xskb pool list, it sets the node's next and prev pointers to LIST_POISON1 and LIST_POISON2 respectively, rather than reinitializing them to point to the node itself. Consequently, list_empty() returns false (indicating the node is still part of a list), causing xp_free() to skip the buffer, resulting in a memory leak.

Root Cause

The root cause is the improper use of list_del() instead of list_del_init() in fragment handling paths within the XSK subsystem. The list_del() function removes a node from a linked list but leaves the node's pointers in an undefined state (poisoned values for debugging). In contrast, list_del_init() removes the node and reinitializes its pointers to create an empty list state, which is the expected behavior for subsequent list_empty() checks to function correctly.

Attack Vector

This vulnerability manifests during normal XSK socket operations involving fragmented packets. When XDP programs process multi-fragment packets and subsequently free buffers, the improper list management causes buffers to be orphaned rather than returned to the free pool. An attacker with local access who can generate sustained XDP socket traffic with fragmented packets could potentially accelerate memory exhaustion, leading to degraded system performance or denial of service conditions.

The vulnerability requires local access to create and manipulate AF_XDP sockets, which typically requires elevated privileges or specific capability grants (CAP_NET_RAW or CAP_NET_ADMIN).

Detection Methods for CVE-2026-23326

Indicators of Compromise

  • Gradual increase in kernel memory usage over time on systems running AF_XDP applications
  • xsk or xdp related memory allocation failures in kernel logs
  • Unexplained system slowdowns or OOM (Out of Memory) killer activations on network-intensive workloads
  • Growing slab cache utilization in /proc/slabinfo for XSK-related objects

Detection Strategies

  • Monitor /proc/meminfo for abnormal kernel memory growth patterns on systems using AF_XDP
  • Implement alerting on MemFree and Slab metrics trending toward critical thresholds
  • Use bpftrace or ftrace to trace xp_free() function calls and detect skipped buffer additions
  • Deploy kernel memory leak detection tools such as kmemleak during testing phases

Monitoring Recommendations

  • Enable kernel memory debugging options during development and testing phases
  • Implement continuous monitoring of kernel slab allocations on production systems using XDP
  • Set up automated alerts for memory pressure events that may indicate gradual leaks
  • Regularly review dmesg output for XSK-related warning or error messages

How to Mitigate CVE-2026-23326

Immediate Actions Required

  • Apply the latest kernel patches that replace list_del() with list_del_init() in XSK fragment handling paths
  • Prioritize patching on systems that actively utilize AF_XDP sockets for network processing
  • Schedule kernel updates for all affected systems, prioritizing network appliances and high-performance computing nodes
  • Implement regular system reboots as a temporary measure to reclaim leaked memory if patching is delayed

Patch Information

The Linux kernel maintainers have released patches that fix this vulnerability by changing all fragment handling paths to use list_del_init() instead of list_del(). This ensures the list node is properly reinitialized after removal, allowing list_empty() checks to function correctly and preventing buffer leaks.

Multiple patch commits are available for different kernel stable branches:

  • Linux Kernel Commit 2a9ea98
  • Linux Kernel Commit 5172adf9
  • Linux Kernel Commit 60abb0ac
  • Linux Kernel Commit 645c6d83
  • Linux Kernel Commit b38cbd4a

Workarounds

  • If immediate patching is not feasible, consider temporarily disabling XDP-accelerated applications and reverting to traditional socket interfaces
  • Implement memory monitoring scripts that trigger proactive system restarts when kernel memory reaches critical thresholds
  • Reduce the volume of fragmented packet processing through XDP sockets where possible
  • Limit AF_XDP socket creation to essential services and trusted applications using capability restrictions
bash
# Configuration example: Monitor kernel memory and alert on potential leaks
#!/bin/bash
# Memory monitoring script for systems vulnerable to CVE-2026-23326

THRESHOLD_KB=1048576  # 1GB threshold for kernel slab growth
INTERVAL=300          # Check every 5 minutes

while true; do
    SLAB_USAGE=$(grep "^Slab:" /proc/meminfo | awk '{print $2}')
    if [ "$SLAB_USAGE" -gt "$THRESHOLD_KB" ]; then
        logger -p kern.warning "CVE-2026-23326: High slab usage detected: ${SLAB_USAGE}KB"
    fi
    sleep $INTERVAL
done

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Commit 2a9ea98
  • Linux Kernel Commit 5172adf9
  • Linux Kernel Commit 60abb0ac
  • Linux Kernel Commit 645c6d83
  • Linux Kernel Commit b38cbd4a
  • Related CVEs
  • CVE-2026-31412: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23448: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23447: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-31395: Linux Kernel Buffer Overflow Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English