CVE-2026-23322

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipmi: Fix use-after-free and list corruption on sender error<br /> <br /> The analysis from Breno:<br /> <br /> When the SMI sender returns an error, smi_work() delivers an error<br /> response but then jumps back to restart without cleaning up properly:<br /> <br /> 1. intf-&gt;curr_msg is not cleared, so no new message is pulled<br /> 2. newmsg still points to the message, causing sender() to be called<br /> again with the same message<br /> 3. If sender() fails again, deliver_err_response() is called with<br /> the same recv_msg that was already queued for delivery<br /> <br /> This causes list_add corruption ("list_add double add") because the<br /> recv_msg is added to the user_msgs list twice. Subsequently, the<br /> corrupted list leads to use-after-free when the memory is freed and<br /> reused, and eventually a NULL pointer dereference when accessing<br /> recv_msg-&gt;done.<br /> <br /> The buggy sequence:<br /> <br /> sender() fails<br /> -&gt; deliver_err_response(recv_msg) // recv_msg queued for delivery<br /> -&gt; goto restart // curr_msg not cleared!<br /> sender() fails again (same message!)<br /> -&gt; deliver_err_response(recv_msg) // tries to queue same recv_msg<br /> -&gt; LIST CORRUPTION<br /> <br /> Fix this by freeing the message and setting it to NULL on a send error.<br /> Also, always free the newmsg on a send error, otherwise it will leak.