CVE-2026-23340
Published: 25 March 2026
Summary
CVE-2026-23340 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-23340 is a use-after-free (UAF) vulnerability in the Linux kernel's networking scheduler (net: sched), arising from a race condition between qdisc_reset_all_tx_gt() and dequeue operations in lockless qdiscs. When shrinking the number of transmit (tx) queues via netif_set_real_num_tx_queues(), the function calls qdisc_reset_all_tx_gt() to flush unused qdiscs, but this serializes with qdisc_lock() while lockless qdiscs use qdisc->seqlock for dequeue serialization via qdisc_run_begin/end(). This allows concurrent execution of qdisc_reset() and __qdisc_run(), freeing skbs still in use during dequeue. The issue affects Linux kernel versions using lockless qdiscs, such as those in virtio-net drivers.
A local attacker with low privileges (PR:L) can exploit this under low attack complexity (AC:L) by generating heavy network traffic while repeatedly changing the number of queue pairs, for example, running iperf3 for UDP traffic alongside a loop of ethtool commands like "ethtool -L eth0 combined 1" and "ethtool -L eth0 combined 2". This triggers the race, leading to a UAF in __qdisc_run() as confirmed by KASAN reports during skb allocation in sock_alloc_send_pskb() and freeing in pfifo_fast_reset() via netif_set_real_num_tx_queues(). Successful exploitation yields high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or kernel crashes.
Kernel patches, available in stable trees via commits such as 5bb27ad54d12de67e457d7d251198e361bef835e and others, mitigate the issue by serializing qdisc_reset_all_tx_gt() against the lockless dequeue path using qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching dev_reset_queue()'s model. They also clear QDISC_STATE_NON_EMPTY post-reset to accurately reflect empty queues and prevent unnecessary rescheduling. Security practitioners should update to patched kernel versions and monitor for systems with dynamic queue reconfiguration under high load.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15307
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer…
more
be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition directly enables exploitation for privilege escalation to arbitrary code execution or DoS in kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the UAF vulnerability by requiring timely application of Linux kernel patches that serialize qdisc_reset_all_tx_gt() with lockless qdisc dequeue paths using seqlock.
Provides memory safeguards like KASLR, SMEP, and SMAP that hinder exploitation of the use-after-free in kernel skb handling during concurrent dequeue and reset operations.
Enforces secure kernel configuration settings to restrict dynamic tx queue resizing or disable lockless qdiscs, reducing exposure to the race condition under heavy network traffic.