CVE-2026-23074

HIGH EPSS 2.9%
Published Feb 4, 20264mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 17

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c
    Patch