Main Vulnerability Database Vulnerabilities #VU124511

Use After Free in Linux kernel - CVE-2026-23340

Published: March 25, 2026

Vulnerability identifier: #VU124511

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23340

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Linux Foundation

Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code or cause a denial of service.

The vulnerability exists due to a use-after-free in the network scheduler (qdisc) component when resetting transmit queues for lockless qdiscs during changes in the number of real transmit queues. A local user can trigger a race condition between qdisc_reset() and the packet dequeue path, leading to use-after-free and potential execution of arbitrary code or system crash.

Exploitation requires the ability to modify network interface queue configurations, which typically requires local user privileges. The issue affects systems using lockless qdiscs such as pfifo_fast, especially under high network load and frequent queue resizing operations.

How to mitigate CVE-2026-23340

Install security update from vendor's repository.

Use After Free in Linux kernel - CVE-2026-23340

Detailed vulnerability description

How to mitigate CVE-2026-23340

Sources

Please verify you're human