#VU124932 Race condition in Linux kernel - CVE-2026-23437
Published: April 6, 2026
Vulnerability identifier: #VU124932
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23437
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking and missing liveness check in the net: shaper hierarchy handling when processing netlink operations that read the hierarchy under RCU. A local user can send specially crafted netlink requests to cause a denial of service.
The issue occurs because a net device reference obtained during netlink operation preparation may later be accessed under RCU without verifying that the device is still live and has not already been unregistered.
Remediation
Install security update from vendor's repository.