Cyber Resilience

CVE-2026-23074

High

Published: 04 February 2026

Published
04 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23074 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-23074 is a use-after-free vulnerability (CWE-416) in the Linux kernel's net/sched subsystem, stemming from a failure to enforce the design intent that the teql (TCP Equalizer) queueing discipline (qdisc) can only be used as a root qdisc. This flaw allows improper handling of queue lengths and class deactivation when teql is attached as a child qdisc under a parent like QFQ, leading to dangling pointer access. The vulnerability affects Linux kernel versions prior to the application of the referenced stable patches and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this by configuring a root QFQ qdisc with child classes: one using netem to introduce a delay (e.g., 6.4 seconds) and another using teql. Sending a packet to the netem class delays its dequeue, while a subsequent packet enqueued to teql succeeds but does not update the parent's visible queue length (qlen) because teql's peek always returns NULL, preventing dequeue calls. Modifying the teql class's lmax then triggers qfq_change_class, which fails to properly deactivate the class due to the unchanged qlen but frees aggregate pointers anyway. When the delayed netem packet dequeues after the delay, it accesses the dangling pointer, resulting in a use-after-free that could enable kernel memory corruption, denial of service, or potential code execution.

Mitigation involves applying kernel patches that enforce teql usage strictly as a root qdisc, as implemented in the following stable backports: https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380, https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba, https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841, https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b, and https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6. Security practitioners should update affected Linux distributions and kernels accordingly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to…

more

check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in kernel net/sched enables privilege escalation via crafted qdisc configuration leading to arbitrary kernel code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 6.19 · 2.6.12.1 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the kernel flaw enabling teql misuse as a child qdisc, directly preventing the use-after-free vulnerability.

prevent

Enforces memory protection mechanisms that mitigate exploitation of the use-after-free in kernel net/sched by safeguarding kernel memory from unauthorized modification.

prevent

Limits low-privilege local users' access to configure network qdiscs like teql under QFQ, reducing the opportunity to trigger the dangling pointer UAF.

References