CVE-2026-22994 PUBLISHED

bpf: Fix reference count leak in bpf_prog_test_run_xdp()

Assigner: Linux
Reserved: 13.01.2026 Published: 23.01.2026 Updated: 23.01.2026

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix reference count leak in bpf_prog_test_run_xdp()

syzbot is reporting

unregister_netdevice: waiting for sit0 to become free. Usage count = 2

problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().

According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().

Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 1c194998252469cad00a08bd9ef0b99fd255c260 to 368569bc546d3368ee9980ba79fc42fdff9a3365 (excl.)
  • affected from 1c194998252469cad00a08bd9ef0b99fd255c260 to 98676ee71fd4eafeb8be63c7f3f1905d40e03101 (excl.)
  • affected from 1c194998252469cad00a08bd9ef0b99fd255c260 to fb9ef40cccdbacce36029b305d0ef1e12e4fea38 (excl.)
  • affected from 1c194998252469cad00a08bd9ef0b99fd255c260 to 737be05a765761d7d7c9f7fe92274bd8e6f6951e (excl.)
  • affected from 1c194998252469cad00a08bd9ef0b99fd255c260 to ec69daabe45256f98ac86c651b8ad1b2574489a7 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.18 is affected
  • unaffected from 0 to 5.18 (excl.)
  • unaffected from 6.1.161 to 6.1.* (incl.)
  • unaffected from 6.6.121 to 6.6.* (incl.)
  • unaffected from 6.12.66 to 6.12.* (incl.)
  • unaffected from 6.18.6 to 6.18.* (incl.)
  • unaffected from 6.19-rc6 to * (incl.)

References