Skip to main content

Linux CVE-2026-23463

| EUVDEUVD-2026-18726 MEDIUM
Race Condition (CWE-362)
2026-04-03 Linux GHSA-cxrg-39g8-v6cj
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 20, 2026 - 15:37 NVD
4.7 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
014077044e874e270ec480515edbc1cadb976cf2,751f60bd48edaf03f9d84ab09e5ce6705757d50f,265e56714635c5dd1e5964bfd97fa6e73f62cde5
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18726
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

soc: fsl: qbman: fix race condition in qman_destroy_fq

When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.

Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL;

And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.

To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().

AnalysisAI

Race condition in Linux kernel QMan driver allows concurrent queue frame descriptor allocation and deallocation to corrupt internal state, causing WARN_ON triggers and potential information disclosure via stale fq_table entries. The vulnerability affects systems using Freescale/NXP QBMan queue management with dynamic FQID allocation enabled (QMAN_FQ_FLAG_DYNAMIC_FQID). No public exploit code or active exploitation confirmed; upstream fix merged via memory barrier enforcement to serialize table cleanup before FQID pool deallocation.

Technical ContextAI

The vulnerability exists in the Linux kernel's Freescale QBMan (Queue Based Memory Access Node) driver, specifically in the queue frame descriptor (FQ) lifecycle management. QBMan is a hardware queue manager used in NXP processors for packet switching and data plane operations. The flaw involves a classic time-of-check-time-of-use (TOCTOU) race condition in the soc/fsl/qbman subsystem when QMAN_FQ_FLAG_DYNAMIC_FQID is set, indicating dynamic FQID allocation from a generic pool. The fq_table array tracks active queue descriptors by index (fqid * 2), and the race occurs between Thread A clearing the table entry (fq_table[fq->idx] = NULL) and calling gen_pool_free() to return the FQID to the allocator pool. During this window, Thread B can allocate the same FQID, set fq_table[fq->idx] to itself, then Thread A overwrites it with NULL, leaving a dangling reference and triggering WARN_ON assertions in qman_create_fq(). The root cause is a missing write memory barrier (smp_wmb) between the table cleanup and pool deallocation, violating acquire-release semantics required for safe concurrent data structure updates.

RemediationAI

Upstream fix available via kernel stable branches; patch implementations are committed in Linux kernel git repository (referenced commits above). Apply the memory barrier fix by updating to a kernel version containing these upstream commits, or backport the smp_wmb() enforcement between fq_table[fq->idx] = NULL and gen_pool_free() calls in qman_release_fqid(). The fix ensures write memory ordering so that the fq_table entry is definitively cleared before the FQID becomes available for reallocation. For production systems, identify kernel version from /proc/version and consult your distribution's security advisories for backported patches in stable kernel branches (e.g., 5.10.x, 5.15.x, 6.1.x). No workaround mitigates the race condition without kernel patching; system operators should disable dynamic FQID allocation if possible (set QMAN_FQ_FLAG_DYNAMIC_FQID = 0), but this may reduce queue flexibility.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy