Skip to main content

Linux EUVDEUVD-2026-18192

| CVE-2026-23413 HIGH
Use After Free (CWE-416)
2026-04-02 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 15:37 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 15:37 NVD
7.8 (HIGH)
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 12:00 euvd
EUVD-2026-18192
Analysis Generated
Apr 02, 2026 - 12:00 vuln.today
CVE Published
Apr 02, 2026 - 11:40 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

clsact: Fix use-after-free in init/destroy rollback asymmetry

Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon failure, the kernel will trigger the clsact_destroy() callback.

Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the way how the transition is happening. If tcf_block_get_ext on the q->ingress_block ends up failing, we took the tcx_miniq_inc reference count on the ingress side, but not yet on the egress side. clsact_destroy() tests whether the {ingress,egress}_entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress_entry from the previous clsact instance.

What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon clsact_destroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.

AnalysisAI

Use-after-free in Linux kernel clsact qdisc initialization and destruction rollback allows local denial of service or potential information disclosure when qdisc replacement fails midway during tcf_block_get_ext() operations. The vulnerability stems from asymmetric initialization and cleanup paths where egress_entry references from a previous clsact instance remain valid during failure scenarios, leading to double-free or use-after-free conditions. Affected Linux kernel versions across all distributions that include the clsact traffic control qdisc require patching.

Technical ContextAI

The clsact (classify-act) qdisc is a Linux kernel traffic control module (net/sched/sch_clsact.c) that manages ingress and egress packet classification. The vulnerability originates in the init/destroy asymmetry: clsact_init() initializes ingress side first, then egress, and can fail during tcf_block_get_ext() operations. Upon failure, clsact_destroy() is invoked as rollback. The original code checked whether ingress_entry and egress_entry pointers were non-NULL to decide cleanup, but these pointers can reference valid entries from a previous (pre-replacement) clsact instance. This creates a use-after-free condition because the kernel may attempt to release or dereference objects that have already been freed or belong to the old instance. The fix introduces a mini_qdisc_pair_inited() helper function to explicitly track whether the current qdisc instance actually initialized its miniq structures, distinguishing between valid entries from the current instance versus stale references from prior instances. Related to CWE-416 (Use After Free) and CWE-415 (Double Free).

RemediationAI

Update Linux kernel to a version that includes the clsact use-after-free fix. Users should check their distribution's security advisories for backported patches to stable kernel versions (e.g., 5.10.x, 5.15.x, 6.1.x, 6.6.x, etc.) and apply them via kernel update. The upstream fix is available in the stable kernel git repository at https://git.kernel.org/stable/ via the commit hashes provided: a73d95b57bf9faebdfed591bcb7ed9292062a84c, 37bef86e5428d59f70a4da82b80f9a8f252fecbe, 4c9af67f99aa3e51b522c54968ab3ac8272be41c, 0509b762bc5e8ea7b8391130730c6d8502fc6e69, and a0671125d4f55e1e98d9bde8a0b671941987e208 across different stable branches. Until patching, restrict network administrative privileges (CAP_NET_ADMIN) to trusted users only.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.10-1 -
(unstable) fixed 6.19.10-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy