CVE-2026-23463
Received Received - Intake
Race Condition in Linux Kernel QMAN_FQ Causes Use-After-Free

Publication date: 2026-04-03

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23463
EUVD
EUVD-2026-18726
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
fsl qbman *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that fq_table[fq->idx] is set to NULL before gen_pool_free() is called, using smp_wmb() to prevent the race condition.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

If updating is not immediately possible, monitor kernel logs for WARN_ON triggers as an indicator of the issue.


Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's qbman (Queue Manager) driver for Freescale (fsl) hardware. It occurs when the QMAN_FQ_FLAG_DYNAMIC_FQID flag is set, causing a timing issue between freeing and allocating queue flow IDs (fqid) in concurrent threads.

Specifically, one thread (Thread A) is destroying a flow queue and releasing its fqid back to the pool, while another thread (Thread B) is simultaneously creating a new flow queue and allocating an fqid. Because the fqid can be reused immediately after being freed, Thread B may access and modify the fq_table at an index that Thread A has not yet cleared, triggering a WARN_ON() warning and potentially causing inconsistent state.

The fix involves ensuring that the fq_table entry is set to NULL before the fqid is freed, using memory barriers (smp_wmb()) to prevent this race condition.


How can this vulnerability impact me? :

This race condition can lead to warnings and potentially unstable or inconsistent behavior in the Linux kernel's queue management subsystem. It may cause kernel warnings (WARN_ON) and could lead to unpredictable behavior in network packet handling or other operations relying on the qbman driver.

While the description does not explicitly mention security impacts such as privilege escalation or denial of service, race conditions in kernel code can sometimes be exploited to cause crashes or unexpected behavior, which might affect system stability or reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a race condition in the Linux kernel's qbman driver related to the qman_destroy_fq and qman_create_fq functions. Detection would typically involve monitoring kernel logs for WARN_ON triggers related to fq_table[fq->idx].

You can check your system logs (e.g., using dmesg or journalctl) for warnings triggered by WARN_ON in qman_create_fq, which indicate the race condition is occurring.

  • Run: dmesg | grep WARN_ON
  • Run: journalctl -k | grep WARN_ON
  • Check for messages related to qman_create_fq or qman_destroy_fq in kernel logs.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart