CVE-2026-23074
Published: 04 February 2026
Summary
CVE-2026-23074 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-23074 is a use-after-free vulnerability (CWE-416) in the Linux kernel's net/sched subsystem, stemming from a failure to enforce the design intent that the teql (TCP Equalizer) queueing discipline (qdisc) can only be used as a root qdisc. This flaw allows improper handling of queue lengths and class deactivation when teql is attached as a child qdisc under a parent like QFQ, leading to dangling pointer access. The vulnerability affects Linux kernel versions prior to the application of the referenced stable patches and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this by configuring a root QFQ qdisc with child classes: one using netem to introduce a delay (e.g., 6.4 seconds) and another using teql. Sending a packet to the netem class delays its dequeue, while a subsequent packet enqueued to teql succeeds but does not update the parent's visible queue length (qlen) because teql's peek always returns NULL, preventing dequeue calls. Modifying the teql class's lmax then triggers qfq_change_class, which fails to properly deactivate the class due to the unchanged qlen but frees aggregate pointers anyway. When the delayed netem packet dequeues after the delay, it accesses the dangling pointer, resulting in a use-after-free that could enable kernel memory corruption, denial of service, or potential code execution.
Mitigation involves applying kernel patches that enforce teql usage strictly as a root qdisc, as implemented in the following stable backports: https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380, https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba, https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841, https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b, and https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6. Security practitioners should update affected Linux distributions and kernels accordingly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5470
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to…
more
check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel net/sched enables privilege escalation via crafted qdisc configuration leading to arbitrary kernel code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the kernel flaw enabling teql misuse as a child qdisc, directly preventing the use-after-free vulnerability.
Enforces memory protection mechanisms that mitigate exploitation of the use-after-free in kernel net/sched by safeguarding kernel memory from unauthorized modification.
Limits low-privilege local users' access to configure network qdiscs like teql under QFQ, reducing the opportunity to trigger the dangling pointer UAF.