CVE-2026-23413
Published: 02 April 2026
Summary
CVE-2026-23413 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23413 is a use-after-free vulnerability in the Linux kernel's clsact queue discipline (qdisc), stemming from an asymmetry in the initialization and destruction rollback process. During clsact_init(), the ingress block is set up first, followed by egress, but a failure midway—such as in tcf_block_get_ext()—triggers clsact_destroy(). This destroy function incorrectly checks for non-NULL ingress/egress entries, which can still reference prior instances, leading to a use-after-free when reference counts are imbalanced. The issue is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the faulty init/destroy sequence in the clsact qdisc, potentially during qdisc replacement operations. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or kernel crashes within the attacker's privilege context.
Mitigation involves applying the relevant stable kernel patches, as detailed in the upstream commits: 0509b762bc5e8ea7b8391130730c6d8502fc6e69 (introduces mini_qdisc_pair_inited helper for proper initialization checks), 37bef86e5428d59f70a4da82b80f9a8f252fecbe, 4c9af67f99aa3e51b522c54968ab3ac8272be41c, a0671125d4f55e1e98d9bde8a0b671941987e208, and a73d95b57bf9faebdfed591bcb7ed9292062a84c. These fixes ensure clsact_destroy() accurately verifies qdisc-specific initialization before cleanup, preventing the use-after-free.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18192
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and…
more
then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon failure, the kernel will trigger the clsact_destroy() callback. Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the way how the transition is happening. If tcf_block_get_ext on the q->ingress_block ends up failing, we took the tcx_miniq_inc reference count on the ingress side, but not yet on the egress side. clsact_destroy() tests whether the {ingress,egress}_entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress_entry from the previous clsact instance. What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon clsact_destroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in clsact qdisc directly enables privilege escalation via crafted qdisc operations leading to arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, prioritization, assessment, and remediation of the specific use-after-free flaw in the Linux kernel's clsact qdisc.
Enables detection of CVE-2026-23413 through vulnerability scanning and monitoring of kernel components for known flaws.
Provides memory protection mechanisms such as randomization and isolation that mitigate exploitation of use-after-free errors in kernel qdisc operations.