CVE-2026-23378
Received Received - Intake
Use-After-Free in Linux Kernel net/sched ife Action Causes OOB Write

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op: [ 138.423369][ C1] ================================================================== [ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255 [ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full) [ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 138.425800][ C1] Call Trace: [ 138.425804][ C1] <IRQ> [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122) [ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1)) [ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) [ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1)) [ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2)) [ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171) [ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57) [ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) [ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3)) [ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45) [ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879) To solve this issue, fix the replace behavior by adding the metalist to the ife rcu data structure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23378
EUVD
EUVD-2026-15368
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.15
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 4.15.1 (inc) to 6.1.167 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's net/sched component, specifically in the act_ife module. The issue arises because when an ife action replace operation modifies the metalist, the current code appends new metadata instead of replacing the old data. This inappropriate behavior can cause an unbounded growth of metadata in the metalist.

This unbounded addition may lead to an out-of-bounds error during the encoding operation, which is detected by the Kernel Address Sanitizer (KASAN) as a slab-out-of-bounds write error.

The fix involves correcting the replace behavior by properly adding the metalist to the ife RCU (Read-Copy-Update) data structure to prevent this unbounded metadata growth.


How can this vulnerability impact me? :

This vulnerability can cause an out-of-bounds memory write in the Linux kernel, which may lead to system instability, crashes, or potential kernel memory corruption.

Such memory corruption issues can be exploited to cause denial of service or potentially escalate privileges if an attacker can trigger the vulnerability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability may cause kernel errors related to the ife action in the Linux kernel, specifically involving the metalist update behavior. Detection can involve monitoring kernel logs for specific error messages.

  • Check kernel logs for KASAN slab-out-of-bounds errors related to ife_tlv_meta_encode, for example using: dmesg | grep -i 'ife_tlv_meta_encode'
  • Look for BUG reports in kernel logs mentioning 'slab-out-of-bounds' or 'ife_out_out_bou' task names.
  • Use journalctl to review recent kernel messages: journalctl -k | grep -i 'ife'

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the metalist update behavior in the Linux kernel's ife action code. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

  • Apply the latest Linux kernel updates or patches that address the act_ife metalist update issue.
  • Avoid using the ife action feature in network scheduling until the fix is applied.
  • Monitor kernel logs for related errors to detect any exploitation attempts.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart