Cyber Resilience

CVE-2026-23413

High

Published: 02 April 2026

Published
02 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23413 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23413 is a use-after-free vulnerability in the Linux kernel's clsact queue discipline (qdisc), stemming from an asymmetry in the initialization and destruction rollback process. During clsact_init(), the ingress block is set up first, followed by egress, but a failure midway—such as in tcf_block_get_ext()—triggers clsact_destroy(). This destroy function incorrectly checks for non-NULL ingress/egress entries, which can still reference prior instances, leading to a use-after-free when reference counts are imbalanced. The issue is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the faulty init/destroy sequence in the clsact qdisc, potentially during qdisc replacement operations. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or kernel crashes within the attacker's privilege context.

Mitigation involves applying the relevant stable kernel patches, as detailed in the upstream commits: 0509b762bc5e8ea7b8391130730c6d8502fc6e69 (introduces mini_qdisc_pair_inited helper for proper initialization checks), 37bef86e5428d59f70a4da82b80f9a8f252fecbe, 4c9af67f99aa3e51b522c54968ab3ac8272be41c, a0671125d4f55e1e98d9bde8a0b671941987e208, and a73d95b57bf9faebdfed591bcb7ed9292062a84c. These fixes ensure clsact_destroy() accurately verifies qdisc-specific initialization before cleanup, preventing the use-after-free.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and…

more

then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon failure, the kernel will trigger the clsact_destroy() callback. Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the way how the transition is happening. If tcf_block_get_ext on the q->ingress_block ends up failing, we took the tcx_miniq_inc reference count on the ingress side, but not yet on the egress side. clsact_destroy() tests whether the {ingress,egress}_entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress_entry from the previous clsact instance. What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon clsact_destroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in clsact qdisc directly enables privilege escalation via crafted qdisc operations leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.10, 7.0 · 6.6.41 — 6.6.130 · 6.9.10 — 6.10 · 6.10.1 — 6.12.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, prioritization, assessment, and remediation of the specific use-after-free flaw in the Linux kernel's clsact qdisc.

detect

Enables detection of CVE-2026-23413 through vulnerability scanning and monitoring of kernel components for known flaws.

prevent

Provides memory protection mechanisms such as randomization and isolation that mitigate exploitation of use-after-free errors in kernel qdisc operations.

References