CVE-2026-23340 Overview
CVE-2026-23340 is a Use-After-Free vulnerability in the Linux kernel's network scheduler subsystem (net: sched). The vulnerability exists in the qdisc_reset_all_tx_gt() function, which can race against the lockless dequeue path when shrinking the number of real transmit queues. This race condition allows qdisc_reset() to free socket buffers (skbs) while they are still being dequeued by __qdisc_run(), leading to memory corruption.
Critical Impact
Attackers with local access could exploit this race condition to trigger Use-After-Free conditions, potentially leading to kernel memory corruption, system crashes, or privilege escalation.
Affected Products
- Linux kernel (multiple versions with lockless qdisc support)
- Systems using virtio-net or similar drivers with dynamic queue reconfiguration
- Network configurations utilizing netif_set_real_num_tx_queues()
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23340 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23340
Vulnerability Analysis
This vulnerability arises from an improper synchronization mechanism in the Linux kernel's traffic control (qdisc) subsystem. When netif_set_real_num_tx_queues() is called to reduce the number of active transmit queues, it invokes qdisc_reset_all_tx_gt() to flush the qdiscs associated with queues that will no longer be used.
The core issue is that qdisc_reset_all_tx_gt() attempts to serialize qdisc_reset() operations using qdisc_lock(). However, for lockless qdiscs (those with the TCQ_F_NOLOCK flag), the dequeue path uses qdisc->seqlock through qdisc_run_begin/end() for serialization instead. This mismatch means that qdisc_reset() can execute concurrently with __qdisc_run(), allowing skbs to be freed while they are still being processed in the dequeue path.
The practical impact was demonstrated on virtio-net devices by generating heavy network traffic while rapidly changing the number of queue pairs using ethtool -L. KASAN detected slab-use-after-free errors in __qdisc_run(), confirming memory corruption occurred during the race window.
Root Cause
The root cause is a serialization mismatch between the reset and dequeue paths for lockless qdiscs (TCQ_F_NOLOCK). The qdisc_reset_all_tx_gt() function uses qdisc_lock() for synchronization, but lockless qdiscs bypass this lock entirely during packet dequeue operations, instead relying on qdisc->seqlock. This creates a race window where memory can be freed by the reset operation while still in use by the concurrent dequeue operation.
Attack Vector
The vulnerability can be triggered by any process with sufficient privileges to modify network interface queue configurations. The attack requires:
- A network interface using lockless qdiscs (e.g., pfifo_fast on virtio-net)
- Active network traffic generating qdisc dequeue operations
- Concurrent modification of transmit queue count via ethtool -L or similar mechanisms
The race condition can be reproduced using the following approach:
In one terminal, generate continuous UDP traffic:
iperf3 -ub0 -c $peer -t 0
In another terminal, rapidly toggle the number of combined queues:
while :; do
ethtool -L eth0 combined 1
ethtool -L eth0 combined 2
done
This triggers the race between qdisc_reset() (called during queue reduction) and __qdisc_run() (processing ongoing traffic), resulting in Use-After-Free conditions detectable by KASAN.
Detection Methods for CVE-2026-23340
Indicators of Compromise
- KASAN reports showing slab-use-after-free in __qdisc_run() or related network scheduler functions
- Kernel crashes or panics in the network stack, particularly during queue reconfiguration operations
- Unexpected memory corruption errors following ethtool -L commands or programmatic queue adjustments
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) to detect Use-After-Free conditions during testing and development
- Monitor kernel logs for KASAN warnings related to __qdisc_run, pfifo_fast_reset, or qdisc_reset functions
- Audit systems for frequent ethtool -L operations that modify transmit queue counts under load
Monitoring Recommendations
- Implement kernel log monitoring for patterns like BUG: KASAN: slab-use-after-free in network scheduler code paths
- Track system stability metrics on hosts with dynamic network queue configuration
- Review audit logs for privileged network configuration changes that could trigger the race condition
How to Mitigate CVE-2026-23340
Immediate Actions Required
- Apply the kernel patches from the stable kernel branches as soon as they are available for your distribution
- Avoid dynamically changing transmit queue counts on interfaces under heavy traffic load
- Consider temporarily using static queue configurations on production systems until patching is complete
Patch Information
The fix serializes qdisc_reset_all_tx_gt() against the lockless dequeue path by acquiring qdisc->seqlock for TCQ_F_NOLOCK qdiscs. This matches the serialization model already used by dev_reset_queue(). Additionally, the patch clears QDISC_STATE_NON_EMPTY after reset to ensure the qdisc state accurately reflects an empty queue, preventing unnecessary re-scheduling.
Patches are available in the Linux kernel stable branches:
- Commit 5bc4e69306ed
- Commit 7594467c49bf
- Commit 7f083faf59d1
- Commit 8314944cc3bd
- Commit c69df4e0524f
- Commit dbd58b0730aa
Workarounds
- Disable dynamic queue reconfiguration on production systems handling significant network traffic
- Schedule queue configuration changes during maintenance windows with minimal traffic
- Use network interface bonding or alternative high-availability configurations to avoid runtime queue adjustments
# Workaround: Set a static queue configuration to avoid runtime changes
# Replace eth0 with your interface and 4 with your desired queue count
ethtool -L eth0 combined 4
# Verify the current queue configuration
ethtool -l eth0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
