#VU124922 Double free in Linux kernel - CVE-2026-23449
Published: April 6, 2026
Vulnerability identifier: #VU124922
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23449
CWE-ID: CWE-415
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in teql_master_xmit in the TEQL qdisc handling code when resetting a TEQL device with a lockless qdisc as root while racing with the datapath. A local user can trigger concurrent qdisc operations to cause a denial of service.
The issue can lead to kernel crashes. Exploitation requires local access to interact with the affected traffic control functionality.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/21c89a0a8de7eadad8d385645a95b3233f23130e
- https://git.kernel.org/stable/c/4a233447b941db451ea5f5a0942cffd0f7f7eaae
- https://git.kernel.org/stable/c/4e8ebc4c18ea8213d28e6cb867d18fcc67daca21
- https://git.kernel.org/stable/c/66360460cab63c248ca5b1070a01c0c29133b960
- https://git.kernel.org/stable/c/afbc79a7770b230a9f24bd39271209d6b3682c5f
- https://git.kernel.org/stable/c/e9c66d3e7d8557b3308e55c613aa07254fe97611