CVE-2026-23340
Received Received - Intake
Use-After-Free Vulnerability in Linux Kernel net_sched Component

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23340
EUVD
EUVD-2026-15307
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.16
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 4.16.1 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network scheduling code. It occurs when the number of real transmit (tx) queues is reduced, triggering a function called qdisc_reset_all_tx_gt() to flush queues that will no longer be used.

The problem arises because qdisc_reset_all_tx_gt() uses a locking mechanism (qdisc_lock()) that does not properly synchronize with the dequeue path of lockless queueing disciplines (qdiscs), which use a different locking method (qdisc->seqlock). This mismatch allows qdisc_reset() to run concurrently with packet dequeue operations (__qdisc_run()), potentially freeing network buffers (skbs) while they are still being accessed, leading to a use-after-free (UAF) condition.

This issue can be reproduced by rapidly changing the number of queue pairs on a network device under heavy traffic, causing kernel memory errors detected by tools like KASAN.

The fix involves properly serializing qdisc_reset_all_tx_gt() with the dequeue path by using the appropriate seqlock for lockless qdiscs, ensuring safe concurrent operations and preventing use-after-free errors.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions in the Linux kernel's network stack, which may cause system instability, crashes, or kernel panics.

Exploitation of this flaw could potentially allow attackers to execute arbitrary code within the kernel context or cause denial of service by crashing the system.

Systems that frequently change the number of transmit queues under heavy network traffic, such as virtualized environments using virtio-net devices, are particularly at risk.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reproducing the conditions that trigger the use-after-free (UAF) in the Linux kernel's network scheduler code. Specifically, heavy network traffic combined with frequent changes to the number of transmit queues can expose the issue.

A suggested method to reproduce and detect the vulnerability is to run a continuous UDP traffic test using iperf3 while repeatedly changing the number of combined queues on the network interface using ethtool.

  • Run iperf3 in UDP mode to generate traffic: iperf3 -ub0 -c $peer -t 0 &
  • In a loop, change the number of combined queues on the interface eth0: while :; do ethtool -L eth0 combined 1; ethtool -L eth0 combined 2; done

If Kernel Address Sanitizer (KASAN) is enabled, this test can lead to reports indicating slab-use-after-free errors in __qdisc_run, which confirms the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by serializing the qdisc_reset_all_tx_gt() function against the lockless dequeue path using the qdisc's seqlock for lockless qdiscs, matching the existing serialization model.

Additionally, the QDISC_STATE_NON_EMPTY flag is cleared after reset to reflect an empty queue state, avoiding unnecessary rescheduling.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating is not immediately possible, avoid frequently changing the number of transmit queues on network interfaces under heavy traffic conditions.
  • Enable Kernel Address Sanitizer (KASAN) if possible to detect use-after-free errors during testing.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart