Cyber Resilience

CVE-2026-23340

High

Published: 25 March 2026

Published
25 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23340 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-23340 is a use-after-free (UAF) vulnerability in the Linux kernel's networking scheduler (net: sched), arising from a race condition between qdisc_reset_all_tx_gt() and dequeue operations in lockless qdiscs. When shrinking the number of transmit (tx) queues via netif_set_real_num_tx_queues(), the function calls qdisc_reset_all_tx_gt() to flush unused qdiscs, but this serializes with qdisc_lock() while lockless qdiscs use qdisc->seqlock for dequeue serialization via qdisc_run_begin/end(). This allows concurrent execution of qdisc_reset() and __qdisc_run(), freeing skbs still in use during dequeue. The issue affects Linux kernel versions using lockless qdiscs, such as those in virtio-net drivers.

A local attacker with low privileges (PR:L) can exploit this under low attack complexity (AC:L) by generating heavy network traffic while repeatedly changing the number of queue pairs, for example, running iperf3 for UDP traffic alongside a loop of ethtool commands like "ethtool -L eth0 combined 1" and "ethtool -L eth0 combined 2". This triggers the race, leading to a UAF in __qdisc_run() as confirmed by KASAN reports during skb allocation in sock_alloc_send_pskb() and freeing in pfifo_fast_reset() via netif_set_real_num_tx_queues(). Successful exploitation yields high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or kernel crashes.

Kernel patches, available in stable trees via commits such as 5bb27ad54d12de67e457d7d251198e361bef835e and others, mitigate the issue by serializing qdisc_reset_all_tx_gt() against the lockless dequeue path using qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching dev_reset_queue()'s model. They also clear QDISC_STATE_NON_EMPTY post-reset to accurately reflect empty queues and prevent unnecessary rescheduling. Security practitioners should update to patched kernel versions and monitor for systems with dynamic queue reconfiguration under high load.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer…

more

be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition directly enables exploitation for privilege escalation to arbitrary code execution or DoS in kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.16, 7.0 · 4.16.1 — 5.15.203 · 5.16 — 6.1.167 · 6.2 — 6.6.130

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the UAF vulnerability by requiring timely application of Linux kernel patches that serialize qdisc_reset_all_tx_gt() with lockless qdisc dequeue paths using seqlock.

prevent

Provides memory safeguards like KASLR, SMEP, and SMAP that hinder exploitation of the use-after-free in kernel skb handling during concurrent dequeue and reset operations.

prevent

Enforces secure kernel configuration settings to restrict dynamic tx queue resizing or disable lockless qdiscs, reducing exposure to the race condition under heavy network traffic.

References