—

CVE-2026-23454EXPLOITEDPATCHED

linux · linux kernel

net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown

Description

In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.

Affected Products

Vendor	Product	Versions
linux	linux kernel	ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f, ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f, ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f, ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f, ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f, ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f, 5.13, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5

References

Related News (2 articles)

Tier C

VulDB8h ago

CVE-2026-23454 | Linux Kernel up to 7.0-rc4 IRQ mana_hwc_destroy_channel null pointer dereference

→ No new info (linked only)

Tier C

Linux Kernel CVEs9h ago

CVE-2026-23454: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

e23bf444512cb85d76012080a76cd1f9e967448e249e905571583a434d4ea8d6f92ccc0eef3371152b001901f689021acd7bf2dceed74a1bdcaaa1f9afdb1533eb9c05432aeb793a7280fa827c502f5c05d345719d85b927cba74afac4d5322de3aa4256fa103fc8f56954a60699a29215cb713448a39e8706.1.1676.6.1306.12.786.18.206.19.107.0-rc5

CWECWE-476

PublishedApr 3, 2026

Last enriched8h agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-31393EXP

Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access

Trending: 59

CRITICALCVE-2026-31397EXP

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

Trending: 59

CRITICALCVE-2026-23463EXP

soc: fsl: qbman: fix race condition in qman_destroy_fq

Trending: 59

CRITICALCVE-2026-23438EXP

net: mvpp2: guard flow control update with global_tx_fc in buffer switching

Trending: 59

CRITICALCVE-2026-23449EXP

net/sched: teql: Fix double-free in teql_master_xmit

Trending: 59

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Actively Exploited

Apr 3, 2026

Exploit Available

Apr 3, 2026

Patch Available

Apr 3, 2026

Updated: description, affectedVersions, severity, exploitAvailable, activelyExploited

Apr 3, 2026

Updated: severity, cweIds, tags

Apr 3, 2026

Version History

Last enriched 8h ago

v3Tier C8h ago

Updated severity to CRITICAL, added CWE-476, and included new CVE ID CVE-2026-23454.

severitycweIdstags

via VulDB

v2Tier C9h ago

Updated description with more technical detail, added affected versions, changed severity to HIGH, and marked exploit availability and active exploitation as true.

descriptionaffectedVersionsseverityexploitAvailableactivelyExploited

via Linux Kernel CVEs

v19h ago

Initial creation