Skip to main content

Linux CVE-2026-23436

| EUVDEUVD-2026-18677 MEDIUM
2026-04-03 Linux GHSA-943r-726h-fc9x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
719f6784f918f9e32f3ff3b197f900e852223f9d
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18677
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: shaper: protect from late creation of hierarchy

We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections.

The netdev may get unregistered in between the time we take the ref and the time we lock it. We may allocate the hierarchy after flush has already run, which would lead to a leak.

Take the instance lock in pre- already, this saves us from the race and removes the need for dedicated lock/unlock callbacks completely. After all, if there's any chance of write happening concurrently with the flush - we're back to leaking the hierarchy.

We may take the lock for devices which don't support shapers but we're only dealing with SET operations here, not taking the lock would be optimizing for an error case.

AnalysisAI

Linux kernel net shaper subsystem susceptible to race condition during hierarchy creation allows unauthenticated local attackers to leak kernel memory or trigger use-after-free conditions. The vulnerability arises when a netdev is unregistered between reference acquisition during Netlink operation preparation and subsequent lock acquisition, permitting hierarchy allocation after flush operations have completed. Fixed via upstream commits that consolidate locking to pre-callback phase, preventing concurrent write races with flush operations.

Technical ContextAI

The Linux kernel's network shaper subsystem manages traffic control hierarchies via Netlink operations. The vulnerability exists in the interaction between device reference counting, instance locking, and netdev unregistration handlers. During Netlink operation preparation (pre-callbacks), the code acquires a reference to a netdev device but defers instance lock acquisition until the actual callback body. The underlying issue is a time-of-check-to-time-of-use (TOCTOU) race condition: if the netdev unregisters between reference acquisition and lock acquisition, the flush handler may have already executed, leaving the hierarchy uninitialized. Subsequent hierarchy allocation proceeds without proper synchronization, creating a use-after-free or memory leak vector. The fix consolidates locking into the pre-callback phase via commits 719f6784f918f9e32f3ff3b197f900e852223f9d, d22921727023e7852704965e935f4d1fc83a5ec9, and d75ec7e8ba1979a1eb0b9211d94d749cdce849c8, eliminating the window between reference and lock acquisition.

RemediationAI

Update to a Linux kernel version containing the upstream fixes available at https://git.kernel.org/stable/c/719f6784f918f9e32f3ff3b197f900e852223f9d, https://git.kernel.org/stable/c/d22921727023e7852704965e935f4d1fc83a5ec9, and https://git.kernel.org/stable/c/d75ec7e8ba1979a1eb0b9211d94d749cdce849c8. Contact your Linux distribution (Red Hat, Canonical, SUSE, etc.) for patched kernel releases; stable kernel trees (5.15.x, 5.10.x, 6.1.x, 6.6.x) have integrated these commits. As a workaround pending patching, restrict unprivileged user access to Netlink socket APIs (via seccomp or capability dropping) and disable network shaper functionality if not required. No partial mitigations exist; patching is the definitive solution.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy