Cyber Resilience

CVE-2026-23419

High

Published: 03 April 2026

Published
03 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 10.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23419 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23419 is a vulnerability in the Linux kernel's Reliable Datagram Sockets (RDS) implementation, specifically within the rds_tcp_tune() function. It manifests as a possible circular locking dependency where sk_net_refcnt_upgrade()—which performs memory allocation via get_net_track() and ref_tracker_alloc()—is called while holding the socket lock (k-sk_lock-AF_INET6). This creates a dependency with fs_reclaim, as reported by syzbot. The issue affects Linux kernel versions prior to the application of the fix, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is categorized under CWE-667 (Improper Locking).

A remote, unauthenticated network attacker can exploit this vulnerability with low complexity and no user interaction. By triggering the rds_tcp_tune() path, the attacker can induce the circular locking dependency, potentially leading to a deadlock involving the socket lock and fs_reclaim during memory allocation. This results in high availability impact, such as kernel hangs or system denial of service.

Mitigation involves applying the upstream kernel patches provided in the stable repository. Key fixes include commits such as 026bbaeeab9e04534ee58882b6447300629b42f6, 6a877ececd6daa002a9a0002cd0fbca6592a9244, 6ce948fa54599f369ff7fe8b793a6aae4b0762b2, 8519e6883a942e510f33a0e634e27bcc3a844a40, and 8babb271403378ba6836f6c8599c5313d0e2355d, which move sk_net_refcnt_upgrade() outside the socket lock critical section. Security practitioners should update affected Linux kernels to incorporate these changes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/rds: Fix circular locking dependency in rds_tcp_tune syzbot reported a circular locking dependency in rds_tcp_tune() where sk_net_refcnt_upgrade() is called while holding the socket lock: ====================================================== WARNING: possible circular locking dependency…

more

detected ====================================================== kworker/u10:8/15040 is trying to acquire lock: ffffffff8e9aaf80 (fs_reclaim){+.+.}-{0:0}, at: __kmalloc_cache_noprof+0x4b/0x6f0 but task is already holding lock: ffff88805a3c1ce0 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: rds_tcp_tune+0xd7/0x930 The issue occurs because sk_net_refcnt_upgrade() performs memory allocation (via get_net_track() -> ref_tracker_alloc()) while the socket lock is held, creating a circular dependency with fs_reclaim. Fix this by moving sk_net_refcnt_upgrade() outside the socket lock critical section. This is safe because the fields modified by the sk_net_refcnt_upgrade() call (sk_net_refcnt, ns_tracker) are not accessed by any concurrent code path at this point. v2: - Corrected fixes tag - check patch line wrap nits - ai commentary nits

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct kernel deadlock triggered remotely via RDS leads to endpoint DoS through system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31467Same product: Linux Linux Kernel
CVE-2026-43029Same product: Linux Linux Kernel
CVE-2026-31667Same product: Linux Linux Kernel
CVE-2026-31598Same product: Linux Linux Kernel
CVE-2026-31486Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.18, 7.0 · 5.17.7 — 5.18 · 5.18.1 — 6.6.130 · 6.7 — 6.12.77

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the circular locking dependency in rds_tcp_tune by applying kernel patches that move sk_net_refcnt_upgrade outside the socket lock critical section.

detect

Vulnerability scanning identifies Linux kernels affected by CVE-2026-23419's improper locking flaw for subsequent remediation.

prevent

Disabling unnecessary kernel modules like RDS eliminates the vulnerable rds_tcp_tune code path exploitable by remote attackers.

References