Skip to main content

Linux EUVDEUVD-2026-12808

| CVE-2026-23245 HIGH
2026-03-18 Linux
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 18, 2026 - 09:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 18, 2026 - 09:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 10:30 euvd
EUVD-2026-12808
Analysis Generated
Mar 18, 2026 - 10:30 vuln.today
CVE Published
Mar 18, 2026 - 10:05 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_gate: snapshot parameters with RCU on replace

The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list.

Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.

AnalysisAI

Race condition in Linux kernel's Traffic Control act_gate scheduler allows local authenticated users to trigger memory corruption and potentially execute arbitrary code or cause denial of service. Affects Linux kernel 5.8+ through 6.19.x and 7.0-rc3. Vulnerability arises when concurrent gate action replacement occurs during hrtimer callback or dump operations, creating a use-after-free scenario. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV). Vendor patches available across multiple stable branches including 6.18.18, 6.19.8, and 7.0-rc3.

Technical ContextAI

The act_gate Traffic Control action in Linux implements time-aware scheduling for network packets, using high-resolution timers (hrtimer) to manage gate schedules. The vulnerability stems from insufficient synchronization when replacing gate action parameters. When an existing gate action is replaced via the TC_ACT_REPLACE operation, the new parameters can be swapped in while concurrent code paths (hrtimer callback processing packets, or netlink dump operations enumerating the schedule list) are still walking the schedule data structures. Without proper RCU (Read-Copy-Update) protection, this creates a classic time-of-check-time-of-use race condition where freed memory can be accessed. The fix implements RCU snapshots of parameters, atomic pointer swapping under tcf_lock, and deferred reclamation via call_rcu(). This is a use-after-free vulnerability class, though no CWE was formally assigned by NVD.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.18 or later in the 6.18.x series, 6.19.8 or later in the 6.19.x series, or 7.0-rc3 or later in the development branch. Patch commits available at https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2 (6.19.8), https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351 (7.0-rc3), and https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c (mainline). If immediate patching is not feasible, disable the act_gate Traffic Control action by blacklisting the act_gate kernel module or restricting CAP_NET_ADMIN capability in containerized environments to prevent untrusted users from configuring TC rules. Note that disabling act_gate will break time-aware traffic scheduling for TSN (Time-Sensitive Networking) or 802.1Qbv implementations. For production systems requiring act_gate functionality, prioritize kernel updates and audit which users/containers have CAP_NET_ADMIN permissions.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-12808 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy