Cyber Resilience

CVE-2026-23245

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23245 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-23245 affects the Linux kernel's net/sched act_gate component. The vulnerability occurs because the gate action can be replaced while the hrtimer callback or dump path is walking the schedule list, potentially leading to inconsistent state or race conditions during these operations.

A local attacker with low privileges can exploit this issue with low attack complexity and no user interaction required. Successful exploitation enables high impacts on confidentiality, integrity, and availability, as indicated by the CVSS score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The referenced kernel stable patches mitigate the vulnerability by converting parameters to an RCU-protected snapshot, performing swap updates under tcf_lock, and freeing the previous snapshot via call_rcu(). When a REPLACE operation omits the entry list, the existing schedule is preserved to maintain the effective state unchanged.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to…

more

an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel race condition in net/sched act_gate enables privilege escalation via inconsistent state during replacement of gate actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.8, 7.0 · 5.8.1 — 5.10.253 · 5.11 — 6.1.167 · 6.2 — 6.6.130

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the race condition in net/sched act_gate by requiring timely remediation through application of the kernel patch implementing RCU snapshots and tcf_lock synchronization.

prevent

Prohibits or restricts non-essential kernel traffic control gate actions, preventing exposure to the vulnerability if the affected functionality is unnecessary.

prevent

Restricts and monitors access to kernel configuration components like net/sched actions, limiting low-privilege local attackers' ability to trigger the concurrent replacement race.

References