CVE-2026-23413

HIGH EPSS 2.1%
Published Apr 2, 20263mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 2, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon failure, the kernel will trigger the clsact_destroy() callback. Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the way how the transition is happening. If tcf_block_get_ext on the q->ingress_block ends up failing, we took the tcx_miniq_inc reference count on the ingress side, but not yet on the egress side. clsact_destroy() tests whether the {ingress,egress}_entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress_entry from the previous clsact instance. What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon clsact_destroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥6.6.41  –  <6.6.130
linuxlinux_kernel*≥6.9.10  –  <6.10
linuxlinux_kernel*≥6.10.1  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel6.10any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/0509b762bc5e8ea7b8391130730c6d8502fc6e69
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/37bef86e5428d59f70a4da82b80f9a8f252fecbe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c9af67f99aa3e51b522c54968ab3ac8272be41c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a0671125d4f55e1e98d9bde8a0b671941987e208
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a73d95b57bf9faebdfed591bcb7ed9292062a84c
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0509b762bc5e8ea7b8391130730c6d8502fc6e69
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/37bef86e5428d59f70a4da82b80f9a8f252fecbe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c9af67f99aa3e51b522c54968ab3ac8272be41c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a0671125d4f55e1e98d9bde8a0b671941987e208
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a73d95b57bf9faebdfed591bcb7ed9292062a84c
    Patch