CVE-2026-23326 PUBLISHED

xsk: Fix fragment node deletion to prevent buffer leak

Assigner: Linux
Reserved: 13.01.2026 Published: 25.03.2026 Updated: 25.03.2026

In the Linux kernel, the following vulnerability has been resolved:

xsk: Fix fragment node deletion to prevent buffer leak

After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free list, this causes a buffer leak as described below.

xp_free() checks if a buffer is already on the free list using list_empty(&xskb->list_node). When list_del() is used to remove a node from the xskb pool list, it doesn't reinitialize the node pointers. This means list_empty() will return false even after the node has been removed, causing xp_free() to incorrectly skip adding the buffer to the free list.

Fix this by using list_del_init() instead of list_del() in all fragment handling paths, this ensures the list node is reinitialized after removal, allowing the list_empty() to work correctly.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 560c974b7ccd95bb9ff20df77f6654283e45c9c6 to 5172adf9efb8298a52f4dcdc3f98d4d9d1e06a6d (excl.)
  • affected from fd5614763805d6f386bd07cc53558f88b1b1eb62 to 2a9ea988465ece5b6896b1bdc144170a64e84c35 (excl.)
  • affected from b692bf9a7543af7ad11a59d182a3757578f0ba53 to 645c6d8376ad4913cbffe0e0c2cca0c4febbe596 (excl.)
  • affected from b692bf9a7543af7ad11a59d182a3757578f0ba53 to b38cbd4af5034635cff109e08788c63f956f3a69 (excl.)
  • affected from b692bf9a7543af7ad11a59d182a3757578f0ba53 to 60abb0ac11dccd6b98fd9182bc5f85b621688861 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 6.13 is affected
  • unaffected from 0 to 6.13 (excl.)
  • unaffected from 6.18.17 to 6.18.* (incl.)
  • unaffected from 6.19.7 to 6.19.* (incl.)
  • unaffected from 7.0-rc3 to * (incl.)

References