SB2026040698 - Race condition in Linux kernel shaper
Published: April 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Race condition (CVE-ID: CVE-2026-23436)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a resource leak.
The vulnerability exists due to a race condition in the net: shaper hierarchy handling when processing netlink set operations. A remote user can send crafted netlink set operations during device unregistration to cause a resource leak.
The issue occurs when a hierarchy is created after flush has already run because the netdev may be unregistered between reference acquisition and later locking. Low privileges are required to trigger the issue.
Remediation
Install update from vendor's website.