CVE-2026-23463
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel QMAN_FQ Causes Use-After-Free

Publication date: 2026-04-03

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23463
EUVD
EUVD-2026-18726
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 4.9 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by ensuring that fq_table[fq->idx] is set to NULL before gen_pool_free() is called, using smp_wmb() to prevent the race condition.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

If updating is not immediately possible, monitor kernel logs for WARN_ON triggers as an indicator of the issue.

Executive Summary

This vulnerability is a race condition in the Linux kernel's qbman (Queue Manager) driver for Freescale (fsl) hardware. It occurs when the QMAN_FQ_FLAG_DYNAMIC_FQID flag is set, causing a timing issue between freeing and allocating queue flow IDs (fqid) in concurrent threads.

Specifically, one thread (Thread A) is destroying a flow queue and releasing its fqid back to the pool, while another thread (Thread B) is simultaneously creating a new flow queue and allocating an fqid. Because the fqid can be reused immediately after being freed, Thread B may access and modify the fq_table at an index that Thread A has not yet cleared, triggering a WARN_ON() warning and potentially causing inconsistent state.

The fix involves ensuring that the fq_table entry is set to NULL before the fqid is freed, using memory barriers (smp_wmb()) to prevent this race condition.

Impact Analysis

This race condition can lead to warnings and potentially unstable or inconsistent behavior in the Linux kernel's queue management subsystem. It may cause kernel warnings (WARN_ON) and could lead to unpredictable behavior in network packet handling or other operations relying on the qbman driver.

While the description does not explicitly mention security impacts such as privilege escalation or denial of service, race conditions in kernel code can sometimes be exploited to cause crashes or unexpected behavior, which might affect system stability or reliability.

Detection Guidance

This vulnerability involves a race condition in the Linux kernel's qbman driver related to the qman_destroy_fq and qman_create_fq functions. Detection would typically involve monitoring kernel logs for WARN_ON triggers related to fq_table[fq->idx].

You can check your system logs (e.g., using dmesg or journalctl) for warnings triggered by WARN_ON in qman_create_fq, which indicate the race condition is occurring.

  • Run: dmesg | grep WARN_ON
  • Run: journalctl -k | grep WARN_ON
  • Check for messages related to qman_create_fq or qman_destroy_fq in kernel logs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23463. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart