CVE-2026-22994

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22994
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22994.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22994
Downstream
Published
2026-01-23T15:24:14.749Z
Modified
2026-04-02T13:11:40.684209Z
Summary
bpf: Fix reference count leak in bpf_prog_test_run_xdp()
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix reference count leak in bpfprogtestrunxdp()

syzbot is reporting

unregister_netdevice: waiting for sit0 to become free. Usage count = 2

problem. A debug printk() patch found that a refcount is obtained at xdpconvertmdtobuff() from bpfprogtestrunxdp().

According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdpmd context in BPFPROGTESTRUN"), the refcount obtained by xdpconvertmdtobuff() will be released by xdpconvertbufftomd().

Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpfprogtestrunxdp()") forgot to call xdpconvertbufftomd().

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22994.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1c194998252469cad00a08bd9ef0b99fd255c260
Fixed
368569bc546d3368ee9980ba79fc42fdff9a3365
Fixed
98676ee71fd4eafeb8be63c7f3f1905d40e03101
Fixed
fb9ef40cccdbacce36029b305d0ef1e12e4fea38
Fixed
737be05a765761d7d7c9f7fe92274bd8e6f6951e
Fixed
ec69daabe45256f98ac86c651b8ad1b2574489a7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22994.json"