Race condition in Linux kernel - CVE-2026-23436

 

Race condition in Linux kernel - CVE-2026-23436

Published: April 6, 2026


Vulnerability identifier: #VU124934
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23436
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a remote user to cause a resource leak.

The vulnerability exists due to a race condition in the net: shaper hierarchy handling when processing netlink set operations. A remote user can send crafted netlink set operations during device unregistration to cause a resource leak.

The issue occurs when a hierarchy is created after flush has already run because the netdev may be unregistered between reference acquisition and later locking. Low privileges are required to trigger the issue.


How to mitigate CVE-2026-23436

Install security update from vendor's repository.

Sources