CVE-2026-23445 Overview
CVE-2026-23445 is a Linux kernel vulnerability in the igc Intel Ethernet driver. The flaw triggers a page fault when an XDP (eXpress Data Path) application that requested TX timestamping shuts down while the network interface link remains up. Stale xsk_meta pointers left behind during TX ring shutdown are dereferenced by the IRQ handler, producing a kernel oops in igc_ptp_tx_tstamp_event and igc_tsync_interrupt. The issue affects Linux kernel 6.10 and 7.0 release candidates rc1 through rc7. Exploitation requires local access with low privileges and results in a high-impact availability loss through kernel crash.
Critical Impact
A local user running an XDP application with TX timestamping can crash the kernel through a use-after-free style page fault in the igc driver interrupt handler.
Affected Products
- Linux Kernel 6.10
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Systems using Intel I225/I226 Ethernet controllers with the igc driver
Discovery Timeline
- 2026-04-03 - CVE-2026-23445 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-23445
Vulnerability Analysis
The vulnerability resides in the Intel igc driver that supports I225 and I226 2.5GbE controllers. The driver supports XDP zero-copy AF_XDP sockets and hardware TX timestamping for Precision Time Protocol (PTP) workloads. When an XDP application requests TX timestamps and then exits while the link stays up, the TX ring teardown path fails to clear the xsk_meta metadata pointers associated with the AF_XDP socket buffers.
The IRQ handler igc_tsync_interrupt continues to process timestamp completion events on the still-active link. It calls igc_ptp_tx_tstamp_event, which dereferences the stale metadata pointer at the freed AF_XDP umem address. The result is a kernel page fault on an unmapped address, as shown by the BUG: unable to handle page fault for address: ffffcfb6200fd008 splat in the original report.
Root Cause
The root cause is missing cleanup of XDP socket metadata during TX ring shutdown. The fix clears the stale xsk_meta data when the TX ring is brought down, ensuring the timestamp interrupt path no longer references freed memory. TX timestamps on other queues that were not used by the exiting XDP application are unaffected by both the bug and the fix.
Attack Vector
A local user with permission to open AF_XDP sockets can trigger the page fault by launching an XDP program that requests TX hardware timestamping and then terminating it while the interface link remains up. Triggering the bug requires CAP_NET_ADMIN or equivalent capabilities to bind AF_XDP sockets and configure XDP programs. The result is a kernel crash and denial of service for the entire host.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-23445
Indicators of Compromise
- Kernel log entries containing BUG: unable to handle page fault for address followed by stack frames referencing igc_ptp_tx_tstamp_event or igc_tsync_interrupt.
- Unexpected kernel panics or task crashes on systems running XDP workloads against Intel I225/I226 NICs.
- Repeated termination of XDP applications that bind AF_XDP sockets with XDP_TX_METADATA timestamp requests.
Detection Strategies
- Monitor dmesg and /var/log/kern.log for oops traces involving the igc module and the PTP timestamp call path.
- Audit running processes for use of AF_XDP sockets combined with SOF_TIMESTAMPING_TX_HARDWARE requests on igc interfaces.
- Correlate kernel crash telemetry with network interface uptime and XDP program load/unload events.
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized logging or SIEM platform and alert on igc module page fault signatures.
- Track kernel version inventory across Linux hosts to identify systems running 6.10 or 7.0-rc series builds.
- Watch for abnormal NIC interrupt rates or driver resets on hosts using igc with PTP enabled.
How to Mitigate CVE-2026-23445
Immediate Actions Required
- Apply the upstream patch from one of the stable kernel commits: 31521c124e64, 45b33e805bd3, 5e4c90c94eb7, or b02fa17d1744.
- Update to a stable Linux kernel release that includes the igc XDP TX timestamp cleanup fix.
- Restrict CAP_NET_ADMIN and AF_XDP socket access to trusted service accounts only on affected hosts.
Patch Information
The fix was merged into the mainline Linux kernel through four stable backport commits referenced on git.kernel.org. The patch cleans up stale xsk_meta data during TX ring shutdown so the interrupt handler no longer dereferences freed AF_XDP socket metadata. See the Kernel Git Commit b02fa17d1744 for the mainline change and the additional stable backport 31521c124e64, 45b33e805bd3, and 5e4c90c94eb7 commits.
Workarounds
- Disable hardware TX timestamping on igc interfaces if XDP TX timestamps are not required for the workload.
- Avoid running untrusted XDP applications that request TX hardware timestamping on production hosts until patched.
- Bring the interface link down before terminating XDP applications that requested TX timestamping, removing the interrupt source that dereferences stale metadata.
# Verify running kernel version and igc driver status
uname -r
modinfo igc | grep -E '^(version|filename)'
# Disable hardware TX timestamping on an igc interface as a temporary workaround
sudo hwstamp_ctl -i <iface> -t 0 -r 0
# Confirm the patch is present after upgrading
git log --oneline drivers/net/ethernet/intel/igc/ | grep -i 'xdp.*tx.*timestamp'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
