CVE-2026-23105
Published: 04 February 2026
Summary
CVE-2026-23105 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23105 affects the Linux kernel's net/sched qfq (Queue Fair Queuing) scheduler component. The vulnerability arises in the qfq_rm_from_ag function, where the code relied on the child qdisc's qlen to determine class activation status. This approach created potential for exploits through child qlen manipulations, prompting a preventive patch that switches to using cl_is_active for consistency and to block such risks.
Per the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), exploitation requires a local attacker with low privileges, low attack complexity, and no user interaction. Successful attacks could achieve high impacts on confidentiality, integrity, and availability, likely through manipulations of child queue lengths in the qfq scheduler.
The referenced kernel stable commits provide the mitigation patches, including https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6, https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a, https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c, https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835, and https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33. Security practitioners should update affected Linux kernels to versions incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5436
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits…
more
that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability in qfq scheduler enabling privilege escalation via qlen manipulation to achieve root-level access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation applies the kernel patches that replace child qlen checks with cl_is_active in qfq_rm_from_ag, directly eliminating the vulnerability.
Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-23105 in the net/sched qfq component.
Monitoring security advisories ensures awareness of the qfq scheduler vulnerability and prompts timely patching.