Skip to main content

Linux CVE-2026-23340

| EUVDEUVD-2026-15307 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-27rj-chmq-rh6r
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15307
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs

When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used.

qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF.

This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs:

iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done

With KASAN enabled, this leads to reports like:

BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK>

Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ...

Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ...

Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue().

Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.

AnalysisAI

Use-after-free in Linux kernel network traffic control subsystem allows local authenticated attackers to execute arbitrary code with high privileges when changing network queue pair configurations on lockless qdiscs (virtio-net confirmed affected). Race condition between qdisc_reset_all_tx_gt() and dequeue operations causes memory to be freed while still in use. Vendor-released patches available for stable kernel branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and mainline 7.0-rc3. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation confirmed at time of analysis, though a reliable reproducer exists using iperf3 and ethtool queue manipulation.

Technical ContextAI

The vulnerability affects the Linux kernel's network traffic control (qdisc) subsystem, specifically the interaction between queue discipline reset operations and packet dequeue paths for lockless qdiscs introduced in kernel 4.16. Traditional qdiscs use qdisc_lock() for serialization, but lockless qdiscs (optimized for multi-queue network devices like virtio-net) use qdisc->seqlock with qdisc_run_begin/end() primitives. When netif_set_real_num_tx_queues() reduces active transmit queues, it calls qdisc_reset_all_tx_gt() to flush queues that will no longer be used. The reset function acquired only qdisc_lock(), assuming this would prevent concurrent access. However, lockless qdiscs serialize their dequeue path (__qdisc_run()) via seqlock instead, creating a window where qdisc_reset() can free socket buffers while __qdisc_run() still references them. The fix serializes reset operations against lockless dequeue by acquiring qdisc->seqlock for TCQ_F_NOLOCK qdiscs and clearing QDISC_STATE_NON_EMPTY after reset, matching the serialization model in dev_reset_queue(). This represents a classic TOCTOU race in concurrent systems where different code paths use incompatible locking primitives.

RemediationAI

Upgrade to patched kernel versions: 6.1.167+ for 6.1.x branch, 6.6.130+ for 6.6.x, 6.12.77+ for 6.12.x, 6.18.17+ for 6.18.x, 6.19.7+ for 6.19.x, or 7.0-rc3+ for mainline kernels. Patches available via git.kernel.org stable tree commits 7594467c49bf (mainline), dbd58b0730aa, 5bc4e69306ed, 8314944cc3bd, c69df4e0524f, and 7f083faf59d1 for respective branches. For systems where immediate patching is not feasible, restrict access to network interface configuration capabilities by removing CAP_NET_ADMIN from untrusted users and containers, though this breaks legitimate use cases requiring dynamic queue reconfiguration. Avoid frequently changing ethtool queue pair settings under heavy network load as this triggers the race condition. Consider switching to traditional (non-lockless) qdiscs by rebuilding network drivers without lockless optimizations, though this significantly impacts performance on multi-queue NICs. Monitor for unusual ethtool invocations combined with high network traffic as potential exploitation attempts. No effective runtime workaround exists that preserves full functionality; kernel upgrade is the primary remediation path.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy