CVE-2026-22994
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A reference count leak was discovered in the Linux kernel's bpf_prog_test_run_xdp() function. The issue occurs when the error handling path fails to call xdp_convert_buff_to_md(), causing a network interface (e.g., sit0) to remain stuck and preventing its release.
Risk Assessment
The reference count leak can prevent proper network interface detachment, leading to kernel resource exhaustion and potential denial-of-service (DoS) attacks by repeatedly triggering the vulnerable code path.
Recommendation
Apply the Linux kernel patch addressing CVE-2026-22994 immediately, which adds the missing xdp_convert_buff_to_md() call in the error handling path of bpf_prog_test_run_xdp().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().

