Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-23340— net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs

CVSS 7.8 · High EPSS 0.01% · P3
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-23340

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于qdisc_reset_all_tx_gt与无锁队列出队操作存在竞争条件,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 ~ 5bb27ad54d12de67e457d7d251198e361bef835e -
LinuxLinux 4.16 -

II. Public POCs for CVE-2026-23340

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-23340

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-03-25 · 116 CVEs total

CVE-2026-233958.8 HIGHBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
CVE-2026-317888.2 HIGHxen/privcmd: restrict usage in unprivileged domU
CVE-2026-233507.8 HIGHdrm/xe/queue: Call fini on exec queue creation fail
CVE-2026-233177.8 HIGHdrm/vmwgfx: Return the correct value in vmw_translate_ptr functions
CVE-2026-233067.8 HIGHscsi: pm8001: Fix use-after-free in pm8001_queue_command()
CVE-2026-233727.8 HIGHnfc: rawsock: cancel tx_work before socket teardown
CVE-2026-233787.8 HIGHnet/sched: act_ife: Fix metalist update behavior
CVE-2026-233517.8 HIGHnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase
CVE-2026-233837.8 HIGHbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
CVE-2026-233367.8 HIGHwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
CVE-2026-232887.8 HIGHaccel/amdxdna: Fix out-of-bounds memset in command slot handling
CVE-2026-233917.8 HIGHnetfilter: xt_CT: drop pending enqueued packets on template removal
CVE-2026-233927.8 HIGHnetfilter: nf_tables: release flowtable after rcu grace period on error
CVE-2026-232807.8 HIGHaccel/amdxdna: Prevent ubuf size overflow
CVE-2026-233937.8 HIGHbridge: cfm: Fix race condition in peer_mep deletion
CVE-2026-233647.4 HIGHksmbd: Compare MACs in constant time
CVE-2026-232947.0 HIGHbpf: Fix race in devmap on PREEMPT_RT
CVE-2026-23338drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings
CVE-2026-23354x86/fred: Correct speculative safety in fred_extint()
CVE-2026-23357can: mcp251x: fix deadlock in error path of mcp251x_open

Showing top 20 of 116 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-23340

No comments yet

Leave a comment