CVE-2026-22994

{"id": "CVE-2026-22994", "cveTags": [], "metrics": {}, "published": "2026-01-23T16:15:55.490", "references": [{"url": "https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md()."}], "lastModified": "2026-01-26T15:03:33.357", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}