CVE-2026-23245
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_gate: snapshot parameters with RCU on replace
The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list.
Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free race condition in the Linux kernel's net/sched act_gate module allows local privilege escalation via concurrent replace and hrtimer/dump operations.
Vulnerability
CVE-2026-23245 is a use-after-free vulnerability in the Linux kernel's net/sched act_gate (gate action) module. The gate action can be replaced while the hrtimer callback or dump path is concurrently walking the schedule list, leading to a race condition where freed memory may be accessed [1].
Exploitation
An attacker with local access and the ability to replace a gate action (e.g., via netlink operations) can trigger the race. No special privileges beyond those needed to configure traffic control are required, making this a local privilege escalation vector [2].
Impact
Successful exploitation allows an attacker to corrupt kernel memory, potentially leading to arbitrary code execution with kernel privileges. The CVSS v3 score of 7.8 reflects the high impact on confidentiality, integrity, and availability [3].
Mitigation
The fix converts the gate action parameters to an RCU-protected snapshot, swapping updates under tcf_lock and freeing the old snapshot via call_rcu(). When a REPLACE operation omits the entry list, the existing schedule is preserved to maintain effective state. The patch has been applied to the stable kernel tree [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23nvd
- git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2nvd
- git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351nvd
- git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4cnvd
- git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeaenvd
- git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432nvd
- git.kernel.org/stable/c/fc98fd8d214693be91253d9a88cdf8e5e143d124nvd
News mentions
0No linked articles in our index yet.