CVE-2026-23453 Overview
A memory leak vulnerability has been identified in the Linux kernel's TI ICSSG-PRUETH network driver. The issue occurs in the XDP (eXpress Data Path) packet processing code, specifically in the emac_run_xdp() function when handling XDP_DROP actions in non-zero-copy mode. When page recycling was removed from the XDP_DROP path to avoid conflicts with AF_XDP zero-copy mode, it inadvertently caused memory pages to never be returned to the page pool in standard page pool mode, leading to potential out-of-memory (OOM) conditions.
Critical Impact
Systems running XDP programs that drop packets in non-zero-copy mode may experience memory exhaustion and OOM conditions, potentially causing system instability or denial of service.
Affected Products
- Linux kernel with TI ICSSG-PRUETH network driver
- Systems using XDP programs in non-zero-copy mode
- Texas Instruments AM64x and AM65x industrial SoCs with ICSSG PRU subsystem
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23453 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23453
Vulnerability Analysis
This vulnerability is classified as a Memory Leak affecting the Linux kernel's network subsystem. The TI ICSSG-PRUETH driver implements XDP (eXpress Data Path) functionality for high-performance packet processing on Texas Instruments industrial Ethernet subsystems.
The root issue stems from a code change that removed page recycling logic from the XDP_DROP handling path in emac_run_xdp(). This modification was originally made to prevent conflicts with AF_XDP zero-copy mode, which uses a different memory management approach via xsk_buff_free(). However, the change had unintended consequences for the non-zero-copy code path.
In standard page pool mode, when an XDP program issues an XDP_DROP verdict, the associated memory page should be returned to the page pool for reuse. Without proper recycling, each dropped packet causes a permanent memory allocation that is never freed, resulting in gradual memory exhaustion proportional to network traffic volume and drop rate.
Root Cause
The vulnerability originates from incomplete handling of the ICSSG_XDP_CONSUMED return value in the packet receive path. When emac_run_xdp() returns this value for XDP_DROP verdicts, the caller emac_rx_packet() did not properly recycle the page back to the page pool. The zero-copy path in emac_rx_packet_zc() correctly handled cleanup using xsk_buff_free(), but the standard path lacked equivalent cleanup logic.
Attack Vector
This vulnerability is triggered locally through network traffic processing. An attacker with the ability to send network traffic to an affected system running an XDP program that drops packets could accelerate memory exhaustion. The attack does not require authentication but does require:
- The target system running a Linux kernel with the vulnerable ICSSG-PRUETH driver
- An active XDP program configured to drop packets (XDP_DROP action)
- The system operating in non-zero-copy (standard page pool) mode
- Sufficient network traffic volume to trigger meaningful memory consumption
The impact is primarily denial of service through resource exhaustion rather than code execution or privilege escalation.
Detection Methods for CVE-2026-23453
Indicators of Compromise
- Gradual increase in memory usage on systems with ICSSG-PRUETH interfaces under XDP_DROP workloads
- System logs showing OOM killer activity or memory pressure warnings
- Decreasing page pool free page counts over time without corresponding system memory release
- Kernel warnings related to page allocation failures in network stack
Detection Strategies
- Monitor system memory usage trends, particularly looking for steady increases correlated with network traffic
- Check for ICSSG-PRUETH driver presence with lsmod | grep icssg_prueth and active XDP programs
- Use bpftool prog list to identify attached XDP programs and their drop statistics
- Review /proc/meminfo for unexpected memory consumption patterns in the slab allocator
Monitoring Recommendations
- Implement memory utilization alerting for systems running XDP workloads on TI ICSSG hardware
- Configure page pool statistics monitoring via kernel tracepoints where available
- Enable kernel memory debugging options during testing to identify leak patterns
- Set up automated health checks for network processing systems to detect early signs of memory pressure
How to Mitigate CVE-2026-23453
Immediate Actions Required
- Apply the kernel patches from the upstream commits to affected systems
- If patching is not immediately possible, consider temporarily disabling XDP programs on ICSSG-PRUETH interfaces
- Monitor memory usage closely on systems that cannot be immediately patched
- Plan system restarts for affected hosts to clear accumulated memory leaks before OOM conditions occur
Patch Information
The Linux kernel maintainers have released fixes for this vulnerability through the stable kernel tree. The patches modify emac_rx_packet() to properly recycle pages to the page pool when emac_run_xdp() returns ICSSG_XDP_CONSUMED for XDP_DROP actions.
Relevant kernel commits:
Organizations should update to a kernel version containing these patches through their distribution's standard update mechanisms.
Workarounds
- Disable XDP programs on affected ICSSG-PRUETH interfaces until patches can be applied
- Switch to AF_XDP zero-copy mode if supported, as this code path handles cleanup correctly
- Implement periodic system restarts as a temporary measure to clear accumulated memory leaks
- Reduce network traffic exposure to systems running vulnerable configurations where possible
# Check for ICSSG-PRUETH driver and XDP programs
lsmod | grep icssg_prueth
bpftool prog list | grep -i xdp
# Detach XDP program from interface as workaround
ip link set dev eth0 xdp off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
