CVE-2026-23105
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel patch for the QFQ scheduler replaces unreliable child qdisc length checks with the cl_is_active flag, fixing a class-activation logic gap that could be exploited via qlen manipulation.
Root
Cause
In the Linux kernel's net/sched subsystem, the Quick Fair Queueing (QFQ) scheduler used a class's child qdisc queue length (qlen) to determine whether a class should be considered active. This approach is fragile because qlen can be manipulated by an attacker controlling child qdiscs, leading to incorrect class state management. The patch replaces the qlen-based check with cl_is_active, a dedicated flag that more reliably indicates class activation.
Exploitation
Vector
An attacker with access to configure or attach child qdiscs to QFQ classes could artificially inflate or deflate the child qdisc's qlen. This manipulation would cause qfq_rm_from_ag to misclassify a class as inactive while it still has pending traffic, or vice versa. No special privileges beyond the ability to configure traffic control (tc) and attach qdiscs are required, though such operations typically need CAP_NET_ADMIN [1][2].
Impact
Successful exploitation could lead to denial of service (DoS) by preventing the QFQ scheduler from properly managing bandwidth allocation. A class that is incorrectly marked inactive may be skipped during dequeuing, delaying or dropping legitimate traffic for that class. Conversely, an incorrectly active class could consume more bandwidth than allowed, breaking QoS guarantees [3][4].
Mitigation
The fix [1] has been applied to the Linux kernel stable branches. All users are strongly advised to update to a patched kernel version. There is no workaround other than applying the kernel update, as the vulnerability is in scheduler core logic.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.8,<5.10.249
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6nvdPatch
- git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28anvdPatch
- git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0cnvdPatch
- git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835nvdPatch
- git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33nvdPatch
- git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26dnvdPatch
- git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254nvdPatch
News mentions
0No linked articles in our index yet.