CVE-2026-23437
Description
In the Linux kernel, the following vulnerability has been resolved:
net: shaper: protect late read accesses to the hierarchy
We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections.
This is not proper, a conversion from a ref to a locked netdev must include a liveness check (a check if the netdev hasn't been unregistered already). Fix the read cases (those under RCU). Writes needs a separate change to protect from creating the hierarchy after flush has already run.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's net: shaper subsystem allows use-after-free of a netdev during Netlink operations.
Description
In the Linux kernel's net: shaper subsystem, a race condition exists during Netlink operations. The subsystem looks up a netdev and increases its reference count in a pre-callback (prep) phase. Later, in the actual callback body, it uses RCU or a lock to access the netdev. However, there is no liveness check when converting from a reference to a locked or RCU-protected pointer. This means the netdev could have been unregistered between the lookup and the protected access, leading to a use-after-free condition [1].
Exploitation
An attacker must be able to trigger Netlink operations involving the net: shaper hierarchy. The vulnerability is triggered when a netdev is unregistered while a concurrent Netlink operation holds a stale reference. No special privileges beyond the ability to send Netlink messages are required, but the exploitation window depends on precise timing. The fix addresses read cases under RCU; writes require a separate change to prevent hierarchy creation after a flush has already run [2].
Impact
A successful exploit could allow an attacker with access to Netlink operations to cause a use-after-free of the netdev structure. This can lead to arbitrary memory corruption, potentially resulting in a system crash (denial of service) or privilege escalation in some kernel configurations. The CVSS v3 score is 7.8 (High), reflecting the high potential impact on confidentiality, integrity, and availability [3].
Mitigation
The vulnerability is fixed in Linux kernel stable commits. The fix adds a liveness check when converting from a reference to a locked/RCU-protected netdev. System administrators should apply the latest kernel updates from their distribution. No workarounds are documented, and the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of publication.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.13.1,<6.18.20
- cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.