High

Linux kernel macvlan use-after-free in macvlan_common_newlink() error recovery

IdentifiersCVE-2026-23209CWE-416· Use After Free

CVE-2026-23209 is a Linux kernel macvlan vulnerability caused by incorrect error recovery in macvlan_common_newlink(). The bug is triggered when creating a new macvlan interface in MACVLAN_MODE_SOURCE with MACVLAN_MACADDR_ADD or MACVLAN_MACADDR_SET on a lower device that already has a macvlan port, and register_netdevice() subsequently fails, for example due to an invalid interface name. Before the failure, macvlan_change_sources() / macvlan_common_newlink() calls macvlan_hash_add_source(), which inserts a macvlan_source_entry referencing the new vlan object into the lower device port's vlan_source_hash. If register_netdevice() then fails, control returns to rtnl_newlink_create(), which calls free_netdev(dev). That frees the struct net_device and its private data while the stale reference remains in the source hash. Later, packets traversing the macvlan port with a matching source MAC address reach macvlan_forward_source(), which dereferences the freed object, resulting in a use-after-free.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering causes a kernel use-after-free in the macvlan data path, leading to kernel crash/panic and denial of service. Because the freed object is referenced from kernel networking structures and later dereferenced in packet processing, the bug may also create conditions for privilege escalation or potentially arbitrary code execution in kernel context, depending on heap state and exploitability on the target kernel build.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce exposure by restricting who can create or manipulate macvlan links, especially operations requiring CAP_NET_ADMIN or equivalent privileges inside network namespaces. Avoid configurations that create macvlan interfaces in MACVLAN_MODE_SOURCE together with MACVLAN_MACADDR_ADD or MACVLAN_MACADDR_SET on lower devices that already host a macvlan port. Pre-validate link creation parameters, including interface names, to avoid late register_netdevice() failures that traverse the vulnerable cleanup path. Limit untrusted local/container access to network namespace administration.

Remediation

Patch, then assume compromise.

Apply the upstream Linux kernel fix for CVE-2026-23209. The fix ensures macvlan_flush_sources() is invoked on the destroy_macvlan_port error path regardless of the create value, removing source-hash references before the net_device is freed and preventing stale pointers from persisting in vlan_source_hash. Deploy a kernel version containing this patch or a vendor backport. Where applicable, vendor advisories indicate fixed packages such as Debian linux 6.12.73-1 or later.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DebianLinuxapplication

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

google security research pull requestsNews

Apr 22, 2026

kernelCTF: add CVE-2026-23209_cos by 4ab48b3f1ded2472 · Pull Request #368 · google/security-research · GitHub

A specific vulnerability identified as CVE-2026-23209 is referenced in a kernelCTF-related conversation, with mentions of an exploit.md file being added. The content does not provide technical details about the flaw itself.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4