SB2026040698 - Race condition in Linux kernel shaper
Published: April 6, 2026
Security Bulletin ID
SB2026040698
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Race condition (CVE-ID: CVE-2026-23436)
The vulnerability allows a remote user to cause a resource leak.
The vulnerability exists due to a race condition in the net: shaper hierarchy handling when processing netlink set operations. A remote user can send crafted netlink set operations during device unregistration to cause a resource leak.
The issue occurs when a hierarchy is created after flush has already run because the netdev may be unregistered between reference acquisition and later locking. Low privileges are required to trigger the issue.
Remediation
Install update from vendor's website.