HIGHCVE-2026-23098Published Modified CNA Linux
CVE-2026-23098: netrom: fix double-free in nr_route_frame()
In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
025aab6bfc31017a7e52035b99aef5c2b6bde8ffb5.10.2495.15.1996.1.1626.6.1226.12.686.18.86.196e0110ea90313b7c0558a0b77038274a6821caf87c48fdf2d1349bb54815b56fb012b9d57770770894d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c9f5fa78d9980fe75a69835521627ab7943cb3d67ba1096c315283ee3292765f6aea4cca15816c4f7bd8955337e3764f912f49b360e176d8aaecf7016
Affected packages
- Linux / Linux< 25aab6bfc31017a7e52035b99aef5c2b6bde8ffb (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 6e0110ea90313b7c0558a0b77038274a6821caf8 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 7c48fdf2d1349bb54815b56fb012b9d577707708 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < bd8955337e3764f912f49b360e176d8aaecf7016 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 9f5fa78d9980fe75a69835521627ab7943cb3d67 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
- Linux / Linux2.6.12Fixed in 0, 5.10.249, 5.15.199, 6.1.162, 6.6.122, 6.12.68, 6.18.8, 6.19
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H