Lockless qdiscs Vulnerability in the Linux Kernel
CVE-2026-23340

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-23340?

A vulnerability exists in the Linux kernel involving the handling of lockless qdiscs, which can lead to a use-after-free (UAF) condition during network operations. Specifically, when the number of transmission queues is reduced, the function netif_set_real_num_tx_queues() triggers a reset through qdisc_reset_all_tx_gt(), but due to the concurrent execution with qdisc_run, a race condition arises. This condition can expose the system to integrity issues, particularly evident under heavy traffic conditions where rapid changes to queue parameters occur. Users may observe KASAN warnings related to slab-use-after-free, highlighting potential exploitation scenarios.

Affected Version(s)

Linux 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 < 7594467c49bfc2f4644dee0415ac2290db11fa0d

Linux 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7

Linux 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 < 5bc4e69306ed7ae02232eb4c0b23ed621a26d504

References

https://git.kernel.org/stable/c/7594467c49bfc2f4644dee041...

https://git.kernel.org/stable/c/dbd58b0730aa06ab6ad26079c...

https://git.kernel.org/stable/c/5bc4e69306ed7ae02232eb4c0...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Jan 13, 2026

CVE-2026-23340 Data

JSON