HOMEVULNERABILITIESCVE-2026-23209
CRITICAL

CVE-2026-23209

Published: February 14, 2026· Updated: Feb 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

macvlan: fix error recovery in macvlan_common_newlink()

valis provided a nice repro to crash the kernel:

ip link add p1 type veth peer p2

ip link set address 00:00:00:00:00:20 dev p1

ip link set up dev p1

ip link set up dev p2

ip link add mv0 link p2 type macvlan mode source

ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20

ping -c1 -I p1 1.2.3.4

He also gave a very detailed analysis:

<quote valis>

The issue is triggered when a new macvlan link is created with

MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or

MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan

port and register_netdevice() called from macvlan_common_newlink()

fails (e.g. because of the invalid link name).

In this case macvlan_hash_add_source is called from

macvlan_change_sources() / macvlan_common_newlink():

This adds a reference to vlan to the port's vlan_source_hash using

macvlan_source_entry.

vlan is a pointer to the priv data of the link that is being created.

When register_netdevice() fails, the error is returned from

macvlan_newlink() to rtnl_newlink_create():

if (ops->newlink)

err = ops->newlink(dev, &params, extack);

else

err = register_netdevice(dev);

if (err < 0) {

free_netdev(dev);

goto out;

}

and free_netdev() is called, causing a kvfree() on the struct

net_device that is still referenced in the source entry attached to

the lower device's macvlan port.

Now all packets sent on the macvlan port with a matching source mac

address will trigger a use-after-free in macvlan_forward_source().

</quote valis>

With all that, my fix is to make sure we call macvlan_flush_sources()

regardless of @create value whenever "goto destroy_macvlan_port;"

path is taken.

Many thanks to valis for following up on this issue.

NVD Source

Technical Analysis

CVE-2026-23209 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (7)

Quick Facts

CVE IDCVE-2026-23209
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.02%
PublishedFeb 14, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23209 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.