Race condition in Linux kernel - CVE-2026-23437
Published: April 6, 2026
Vulnerability identifier: #VU124932
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23437
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking and missing liveness check in the net: shaper hierarchy handling when processing netlink operations that read the hierarchy under RCU. A local user can send specially crafted netlink requests to cause a denial of service.
The issue occurs because a net device reference obtained during netlink operation preparation may later be accessed under RCU without verifying that the device is still live and has not already been unregistered.
How to mitigate CVE-2026-23437
Install security update from vendor's repository.