CVE-2026-23445 Overview
A page fault vulnerability has been discovered in the Linux kernel's igc (Intel I225/I226 Ethernet) network driver related to XDP (eXpress Data Path) TX timestamp handling. The vulnerability occurs when an XDP application that requested TX timestamping shuts down while the network interface link remains active, resulting in a kernel page fault due to stale xsk_meta pointers being accessed by the interrupt handler.
Critical Impact
This vulnerability can cause kernel panics and system instability when XDP applications utilizing TX timestamping are terminated while the network interface remains operational.
Affected Products
- Linux kernel with igc driver (Intel I225/I226 Ethernet controllers)
- Systems running XDP applications with TX timestamping enabled
- Affected kernel versions prior to the security patches
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23445 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23445
Vulnerability Analysis
The vulnerability exists in the igc driver's handling of TX timestamps for XDP (eXpress Data Path) applications. When an XDP application requests TX timestamping and subsequently shuts down while the network interface link remains active, the driver fails to properly clean up the xsk_meta pointers associated with the TX ring. This leaves stale pointer references that the interrupt request (IRQ) handler attempts to access during timestamp processing.
The kernel crash manifests as a page fault when the igc_ptp_tx_tstamp_event() function is invoked through the igc_tsync_interrupt() handler, attempting to dereference memory at an invalid address. The call trace indicates the fault occurs within the igc module's PTP (Precision Time Protocol) timestamp event processing routine.
Root Cause
The root cause is a resource cleanup deficiency in the TX ring shutdown path. During shutdown of the TX ring, the xsk_meta pointers are not properly cleaned up, leaving dangling references. When the interrupt handler fires for timestamp synchronization events, it attempts to access these stale pointers, causing a page fault at addresses like ffffcfb6200fd008 as shown in the kernel splat.
The fix involves properly cleaning up stale xsk metadata on TX shutdown, ensuring that TX timestamps on other queues remain unaffected while preventing the IRQ handler from accessing freed memory.
Attack Vector
The vulnerability is triggered through a specific operational sequence rather than an external attack vector. The conditions required are:
- An XDP application must be running with TX timestamping enabled on an igc-based network interface
- The network interface link must remain active (up)
- The XDP application must shut down while conditions 1 and 2 are met
- A timestamp synchronization interrupt must occur after shutdown but before proper cleanup
While this may appear to be a reliability issue, the kernel page fault could potentially be triggered maliciously by a local attacker with sufficient privileges to control XDP application lifecycle, leading to denial of service through kernel panic.
Detection Methods for CVE-2026-23445
Indicators of Compromise
- Kernel panic or BUG messages containing unable to handle page fault with addresses in the ffffcfb6 range
- Call traces showing igc_ptp_tx_tstamp_event and igc_tsync_interrupt in the stack
- System crashes correlating with XDP application termination on Intel I225/I226 NICs
- Kernel logs showing task context T1554 or similar with igc module references
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for BUG or page fault messages involving the igc module
- Set up alerting on kernel oops or panic events that include igc_ptp_tx_tstamp_event in the call trace
- Deploy kernel tracing using ftrace or eBPF to monitor igc_tsync_interrupt invocations during XDP shutdown sequences
- Implement watchdog monitoring for unexpected system reboots on systems using igc drivers with XDP
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information if the vulnerability is triggered
- Monitor for patterns of XDP application restarts combined with system instability
- Track igc driver interrupt statistics using ethtool -S to identify anomalous timestamp interrupt patterns
- Consider deploying SentinelOne Singularity for real-time kernel-level threat detection and behavioral monitoring
How to Mitigate CVE-2026-23445
Immediate Actions Required
- Apply the latest kernel patches from your Linux distribution's security repository
- If patching is not immediately possible, consider stopping XDP applications gracefully before bringing down interfaces
- Monitor systems for unexpected kernel panics and investigate any igc-related crashes
- Review XDP application shutdown procedures to ensure clean termination sequences
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures proper cleanup of stale xsk metadata during TX shutdown. Multiple commits have been made available:
- Kernel Git Commit 31521c1
- Kernel Git Commit 45b33e8
- Kernel Git Commit 5e4c90c
- Kernel Git Commit b02fa17
Organizations should apply these patches through their standard kernel update process or by rebuilding kernels with the fix included.
Workarounds
- Disable TX timestamping for XDP applications if the feature is not strictly required
- Bring down the network interface link before shutting down XDP applications that use TX timestamping
- Use alternative network drivers (if available) for XDP workloads until the patch can be applied
- Implement application-level safeguards to ensure clean shutdown sequences for XDP programs
# Workaround: Bring down interface before stopping XDP application
# Example shutdown sequence
ip link set eth0 down
# Then terminate XDP application
# Finally, if needed, bring interface back up
ip link set eth0 up
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
