Skip to main content

Linux EUVDEUVD-2026-18678

| CVE-2026-23437 HIGH
2026-04-03 Linux GHSA-9wj8-78x3-52f8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Apr 27, 2026 - 14:22 NVD
5.5 (MEDIUM) 7.8 (HIGH)
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
581eee0890a8bde44f1fb78ad3e70502a897d583,348758ba74e6a348299965b16a97cfb817545cc0,0f9ea7141f365b4f27226898e62220fb98ef8dc6
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18678
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: shaper: protect late read accesses to the hierarchy

We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections.

This is not proper, a conversion from a ref to a locked netdev must include a liveness check (a check if the netdev hasn't been unregistered already). Fix the read cases (those under RCU). Writes needs a separate change to protect from creating the hierarchy after flush has already run.

AnalysisAI

Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.

Technical ContextAI

The Linux kernel's net shaper subsystem manages traffic shaping hierarchy through netlink operations. The vulnerability exists in the reference counting and synchronization model: netdev references are obtained during netlink pre-callbacks (prep phase) without subsequent liveness validation before RCU read-side critical sections in the callback body. This violates proper kernel synchronization patterns where a conversion from reference-counted access to RCU-protected access must include a check that the device hasn't been unregistered (netdev_is_rx_handler_busy or similar validation). The CWE classification is unavailable, but the root cause aligns with CWE-416 (Use After Free) and CWE-362 (Concurrent Modification) patterns. The shaper module uses RCU for read-side synchronization of hierarchy traversal, but the pre-ref and post-lock/RCU pattern creates a window where the netdev can transition to an unregistered state, causing the RCU-protected read to access freed or invalid hierarchy structures. The fix adds liveness checks during the read path; write-side protection requires separate changes to prevent hierarchy creation after flush operations have commenced.

RemediationAI

Apply the upstream fixes available in stable kernel branches via the following commits: 581eee0890a8bde44f1fb78ad3e70502a897d583, 348758ba74e6a348299965b16a97cfb817545cc0, and 0f9ea7141f365b4f27226898e62220fb98ef8dc6. These commits add liveness checks during RCU read-side operations in the shaper hierarchy lookup path. Users should upgrade to a stable or longterm kernel version that includes these commits-check the kernel.org stable branch releases (https://git.kernel.org/stable/) for the earliest patched version in your current series (e.g., 5.15.x, 6.1.x, 6.6.x). For systems unable to immediately patch, disable netlink-based traffic shaping configuration or restrict netlink access to trusted processes via AppArmor/SELinux until an upgrade is available. Monitor your kernel version against the stable branch changelogs to confirm all three fixes are included.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy