CVE-2026-23046

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23046
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23046.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23046
Downstream
Published
2026-02-04T16:00:28.772Z
Modified
2026-02-09T19:33:51.043293Z
Summary
virtio_net: fix device mismatch in devm_kzalloc/devm_kfree
Details

In the Linux kernel, the following vulnerability has been resolved:

virtionet: fix device mismatch in devmkzalloc/devm_kfree

Initial rsshdr allocation uses virtiodevice->device, but virtnetsetqueues() frees using net_device->device. This device mismatch causing below devres warning

[ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devmkfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octepvdpa virtionet virtiovdpa [last unloaded: virtiovdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 3788.514074] pc : devmkfree+0x84/0x98 [ 3788.514076] lr : devmkfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devmkfree+0x84/0x98 (P) [ 3788.514129] virtnetsetqueues+0x134/0x2e8 [virtionet] [ 3788.514135] virtnetprobe+0x9c0/0xe00 [virtionet] [ 3788.514139] virtiodevprobe+0x1e0/0x338 [ 3788.514144] reallyprobe+0xc8/0x3a0 [ 3788.514149] __driverprobedevice+0x84/0x170 [ 3788.514152] driverprobedevice+0x44/0x120 [ 3788.514155] __deviceattachdriver+0xc4/0x168 [ 3788.514158] busforeach_drv+0x8c/0xf0 [ 3788.514161] __deviceattach+0xa4/0x1c0 [ 3788.514164] deviceinitialprobe+0x1c/0x30 [ 3788.514168] busprobedevice+0xb4/0xc0 [ 3788.514170] deviceadd+0x614/0x828 [ 3788.514173] registervirtiodevice+0x214/0x258 [ 3788.514175] virtiovdpaprobe+0xa0/0x110 [virtiovdpa] [ 3788.514179] vdpadevprobe+0xa8/0xd8 [ 3788.514183] reallyprobe+0xc8/0x3a0 [ 3788.514186] __driverprobedevice+0x84/0x170 [ 3788.514189] driverprobedevice+0x44/0x120 [ 3788.514192] __deviceattachdriver+0xc4/0x168 [ 3788.514195] busforeach_drv+0x8c/0xf0 [ 3788.514197] __deviceattach+0xa4/0x1c0 [ 3788.514200] deviceinitialprobe+0x1c/0x30 [ 3788.514203] busprobedevice+0xb4/0xc0 [ 3788.514206] deviceadd+0x614/0x828 [ 3788.514209] vdparegisterdevice+0x58/0x88 [ 3788.514211] octepvdpadevadd+0x104/0x228 [octepvdpa] [ 3788.514215] vdpanlcmddevaddsetdoit+0x2d0/0x3c0 [ 3788.514218] genlfamilyrcvmsgdoit+0xe4/0x158 [ 3788.514222] genlrcvmsg+0x218/0x298 [ 3788.514225] netlinkrcvskb+0x64/0x138 [ 3788.514229] genlrcv+0x40/0x60 [ 3788.514233] netlinkunicast+0x32c/0x3b0 [ 3788.514237] netlinksendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] _arm64syssendto+0x30/0x48 [ 3788.514249] invokesyscall.constprop.0+0x58/0xf8 [ 3788.514255] doel0svc+0x48/0xd0 [ 3788.514259] el0svc+0x48/0x210 [ 3788.514264] el0t64synchandler+0xa0/0xe8 [ 3788.514268] el0t64sync+0x198/0x1a0 [ 3788.514271] ---[ end trace 0000000000000000 ]---

Fix by using virtio_device->device consistently for allocation and deallocation

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23046.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4944be2f5ad8c74b93e4e272f3a0f1a136bbc438
Fixed
a5e2d902f64c76169c771f584559c82b588090e3
Fixed
acb4bc6e1ba34ae1a34a9334a1ce8474c909466e

Affected versions

v6.*
v6.14
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.18
v6.18-rc1
v6.18-rc2
v6.18-rc3
v6.18-rc4
v6.18-rc5
v6.18-rc6
v6.18-rc7
v6.18.1
v6.18.2
v6.18.3
v6.18.4
v6.18.5
v6.19-rc1
v6.19-rc2
v6.19-rc3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23046.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.18.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23046.json"