CVE-2026-23436 (GCVE-0-2026-23436)
Vulnerability from cvelistv5
Published
2026-04-03 15:15
Modified
2026-04-13 06:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect from late creation of hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. The netdev may get unregistered in between the time we take the ref and the time we lock it. We may allocate the hierarchy after flush has already run, which would lead to a leak. Take the instance lock in pre- already, this saves us from the race and removes the need for dedicated lock/unlock callbacks completely. After all, if there's any chance of write happening concurrently with the flush - we're back to leaking the hierarchy. We may take the lock for devices which don't support shapers but we're only dealing with SET operations here, not taking the lock would be optimizing for an error case.
References
Impacted products
Vendor Product Version
Linux Linux Version: 93954b40f6a4fc43226c01a15b02732f884500f1
Version: 93954b40f6a4fc43226c01a15b02732f884500f1
Version: 93954b40f6a4fc43226c01a15b02732f884500f1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "Documentation/netlink/specs/net_shaper.yaml",
            "net/shaper/shaper.c",
            "net/shaper/shaper_nl_gen.c",
            "net/shaper/shaper_nl_gen.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "719f6784f918f9e32f3ff3b197f900e852223f9d",
              "status": "affected",
              "version": "93954b40f6a4fc43226c01a15b02732f884500f1",
              "versionType": "git"
            },
            {
              "lessThan": "d22921727023e7852704965e935f4d1fc83a5ec9",
              "status": "affected",
              "version": "93954b40f6a4fc43226c01a15b02732f884500f1",
              "versionType": "git"
            },
            {
              "lessThan": "d75ec7e8ba1979a1eb0b9211d94d749cdce849c8",
              "status": "affected",
              "version": "93954b40f6a4fc43226c01a15b02732f884500f1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "Documentation/netlink/specs/net_shaper.yaml",
            "net/shaper/shaper.c",
            "net/shaper/shaper_nl_gen.c",
            "net/shaper/shaper_nl_gen.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect from late creation of hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThe netdev may get unregistered in between the time we take\nthe ref and the time we lock it. We may allocate the hierarchy\nafter flush has already run, which would lead to a leak.\n\nTake the instance lock in pre- already, this saves us from the race\nand removes the need for dedicated lock/unlock callbacks completely.\nAfter all, if there\u0027s any chance of write happening concurrently\nwith the flush - we\u0027re back to leaking the hierarchy.\n\nWe may take the lock for devices which don\u0027t support shapers but\nwe\u0027re only dealing with SET operations here, not taking the lock\nwould be optimizing for an error case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:07:25.128Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/719f6784f918f9e32f3ff3b197f900e852223f9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d22921727023e7852704965e935f4d1fc83a5ec9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d75ec7e8ba1979a1eb0b9211d94d749cdce849c8"
        }
      ],
      "title": "net: shaper: protect from late creation of hierarchy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23436",
    "datePublished": "2026-04-03T15:15:21.280Z",
    "dateReserved": "2026-01-13T15:37:46.017Z",
    "dateUpdated": "2026-04-13T06:07:25.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.