CVE-2026-23463

MEDIUM EPSS 0.6%
Published Apr 3, 20262mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Apr 3, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
0.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥4.9  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210
    Patch