Cyber Resilience

CVE-2026-23105

High

Published: 04 February 2026

Published
04 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23105 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23105 affects the Linux kernel's net/sched qfq (Queue Fair Queuing) scheduler component. The vulnerability arises in the qfq_rm_from_ag function, where the code relied on the child qdisc's qlen to determine class activation status. This approach created potential for exploits through child qlen manipulations, prompting a preventive patch that switches to using cl_is_active for consistency and to block such risks.

Per the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), exploitation requires a local attacker with low privileges, low attack complexity, and no user interaction. Successful attacks could achieve high impacts on confidentiality, integrity, and availability, likely through manipulations of child queue lengths in the qfq scheduler.

The referenced kernel stable commits provide the mitigation patches, including https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6, https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a, https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c, https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835, and https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33. Security practitioners should update affected Linux kernels to versions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits…

more

that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel vulnerability in qfq scheduler enabling privilege escalation via qlen manipulation to achieve root-level access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 3.8 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation applies the kernel patches that replace child qlen checks with cl_is_active in qfq_rm_from_ag, directly eliminating the vulnerability.

detect

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-23105 in the net/sched qfq component.

detectrespond

Monitoring security advisories ensures awareness of the qfq scheduler vulnerability and prompts timely patching.

References