CVE-2026-23436
Received Received - Intake
Use-After-Free Race Condition in Linux Kernel netdev Shaper Component

Publication date: 2026-04-03

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect from late creation of hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. The netdev may get unregistered in between the time we take the ref and the time we lock it. We may allocate the hierarchy after flush has already run, which would lead to a leak. Take the instance lock in pre- already, this saves us from the race and removes the need for dedicated lock/unlock callbacks completely. After all, if there's any chance of write happening concurrently with the flush - we're back to leaking the hierarchy. We may take the lock for devices which don't support shapers but we're only dealing with SET operations here, not taking the lock would be optimizing for an error case.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23436
EUVD
EUVD-2026-18677
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.13
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 6.13.1 (inc) to 6.18.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network subsystem related to the handling of network device (netdev) shapers. During the preparation of Netlink operations, a reference to a netdev is taken before locking it. However, the netdev may be unregistered between taking the reference and acquiring the lock, which can lead to a race condition.

This race condition can cause the allocation of a hierarchy after a flush operation has already run, resulting in a memory leak of the hierarchy. The fix involves taking the instance lock earlier in the process to prevent this race and eliminate the need for separate lock/unlock callbacks.


How can this vulnerability impact me? :

The vulnerability can lead to a memory leak in the Linux kernel's network subsystem. This leak occurs when a network device is unregistered during certain operations, causing the system to allocate resources improperly.

Such a memory leak could degrade system performance over time, potentially leading to resource exhaustion or instability in network-related functions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by changes in the Linux kernel that protect from late creation of hierarchy in the net shaper subsystem.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart