CVE-2026-23436
Description
In the Linux kernel, the following vulnerability has been resolved:
net: shaper: protect from late creation of hierarchy
We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections.
The netdev may get unregistered in between the time we take the ref and the time we lock it. We may allocate the hierarchy after flush has already run, which would lead to a leak.
Take the instance lock in pre- already, this saves us from the race and removes the need for dedicated lock/unlock callbacks completely. After all, if there's any chance of write happening concurrently with the flush - we're back to leaking the hierarchy.
We may take the lock for devices which don't support shapers but we're only dealing with SET operations here, not taking the lock would be optimizing for an error case.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's net/shaper subsystem could allow a hierarchy to be allocated after flush, causing a memory leak.
Vulnerability
A race condition exists in the Linux kernel's net/shaper subsystem. During Netlink operations, a reference to a network device (netdev) is taken in the pre-callback, but the actual locking occurs later in the callback body. If the net/shaper: protect from late creation of hierarchy. If the netdev is unregistered between these two points, a hierarchy could be allocated after the flush operation has already completed, leading to a memory leak [1].
Exploitation
An attacker with the ability to trigger Netlink SET operations on a netdev that is being concurrently unregistered could exploit this race. The attack requires precise timing to cause the hierarchy allocation to occur after the flush. No special privileges beyond the ability to issue the relevant Netlink operations are mentioned in the description [1].
Impact
Successful exploitation results in a memory leak of the shaper hierarchy. This could lead to resource exhaustion over time, potentially causing denial of service. The CVSS v3 score of 5.5 (Medium) reflects the availability impact [1].
Mitigation
The fix moves the instance lock acquisition into the pre-callback, eliminating the race window and removing the need for separate lock/unlock callbacks. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing this commit.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.13.1,<6.18.20
- cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.