CVE-2026-23437
Published: 03 April 2026
Summary
CVE-2026-23437 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23437 is a vulnerability in the Linux kernel's network shaper (net: shaper) component, where late read accesses to the netdev hierarchy are not properly protected. During preparation of Netlink operations (pre-callbacks), a netdev is looked up and a reference is taken, but later in the callback body, accesses under RCU lack a required liveness check to ensure the netdev has not been unregistered. This affects read cases under RCU, with writes noted as needing a separate fix after flush operations.
The vulnerability can be exploited by local attackers with low privileges (AV:L/AC:L/PR:L/UI:N/S:U), requiring no user interaction. Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 7.8 and potentially leading to kernel crashes, data corruption, or privilege escalation via race conditions or invalid memory accesses.
Kernel patches addressing this issue are available in the stable trees via the following commits: https://git.kernel.org/stable/c/0f9ea7141f365b4f27226898e62220fb98ef8dc6, https://git.kernel.org/stable/c/348758ba74e6a348299965b16a97cfb817545cc0, and https://git.kernel.org/stable/c/581eee0890a8bde44f1fb78ad3e70502a897d583. These commits implement liveness checks for read operations under RCU to prevent accesses to unregistered netdevs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18678
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in…
more
the body of the callback we take its lock or RCU which are the actual protections. This is not proper, a conversion from a ref to a locked netdev must include a liveness check (a check if the netdev hasn't been unregistered already). Fix the read cases (those under RCU). Writes needs a separate change to protect from creating the hierarchy after flush has already run.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition in net shaper enables direct privilege escalation via invalid memory access after netdev unregistration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-23437 by requiring timely remediation through application of kernel patches that implement the missing netdev liveness checks under RCU.
Enables detection of vulnerable kernel versions affected by the netdev RCU race condition via vulnerability scanning, facilitating prompt patching.
Provides memory protection mechanisms that can prevent exploitation of invalid memory accesses resulting from the unprotected late read accesses to unregistered netdevs.