Memory Leak Affecting kernel-uek-debug-modules-usb package, versions <0:6.12.0-200.74.27.el9uek
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-ORACLE9-KERNELUEKDEBUGMODULESUSB-15864264
- published1 Apr 2026
- disclosed14 Feb 2026
Introduced: 14 Feb 2026
CVE-2026-23172 (opens in a new tab)How to fix?
Upgrade Oracle:9 kernel-uek-debug-modules-usb to version 0:6.12.0-200.74.27.el9uek or higher.
This issue was patched in ELSA-2026-50160.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uek-debug-modules-usb package and not the kernel-uek-debug-modules-usb package as distributed by Oracle.
See How to fix? for Oracle:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: fix potential skb->frags overflow in RX path
When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior.
This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: fix array overflow on receiving too many fragments for a packet").
The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects.
Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS.
The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown.
References
- https://linux.oracle.com/cve/CVE-2026-23172.html
- https://linux.oracle.com/errata/ELSA-2026-50160.html
- https://git.kernel.org/stable/c/2a0522f564acd34442652ea083091c329fa7c5d5
- https://git.kernel.org/stable/c/2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba
- https://git.kernel.org/stable/c/af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276
- https://git.kernel.org/stable/c/f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6
- https://git.kernel.org/stable/c/f9747a7521a48afded5bff2faf1f2dcfff48c577