The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23379

CVE-2026-23379: Linux Kernel ETS Scheduler DOS Vulnerability

CVE-2026-23379 is a denial of service flaw in the Linux kernel's ETS scheduler that causes divide-by-zero errors through integer overflow. This article covers technical details, affected versions, impact, and mitigation steps.

Published: March 27, 2026

CVE-2026-23379 Overview

A divide-by-zero vulnerability has been identified in the Linux kernel's network scheduler ETS (Enhanced Transmission Selection) qdisc implementation. The flaw exists in the offload path where computing each class' Weighted Round Robin (WRR) weight can result in an integer overflow condition, subsequently triggering a division by zero error and causing a kernel panic.

Critical Impact

This vulnerability can cause a complete system crash (kernel panic) when an attacker triggers the integer overflow condition in the ETS scheduler's offload path, resulting in denial of service.

Affected Products

  • Linux Kernel with sch_ets module enabled
  • Systems utilizing ETS (Enhanced Transmission Selection) network scheduling
  • Network devices with hardware offloading capabilities using ETS qdisc

Discovery Timeline

  • March 25, 2026 - CVE-2026-23379 published to NVD
  • March 25, 2026 - Last updated in NVD database

Technical Details for CVE-2026-23379

Vulnerability Analysis

The vulnerability resides in the ets_offload_change() function within the sch_ets kernel module. When offloading ETS scheduling to hardware, the kernel computes each traffic class's WRR weight by averaging over the sums of quanta using variables q_sum and q_psum. These variables were implemented as unsigned int type, matching the size of individual DRR (Deficit Round Robin) quanta values.

The fundamental issue is that when multiple quanta values are summed, the accumulated value can exceed the maximum representable value for an unsigned 32-bit integer (4,294,967,295), causing the sum to wrap around to zero or a small positive number. When this overflowed value is subsequently used as a divisor in the WRR weight calculation, a divide-by-zero exception occurs, triggering a kernel panic.

The crash trace reveals the exact location: RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] with the error code indicating a divide error (Oops: divide error: 0000).

Root Cause

The root cause is the use of 32-bit unsigned integers (unsigned int) for accumulating quantum sums in the ETS offload calculation. When processing multiple ETS classes with large quantum values, the accumulated sum can overflow the 32-bit boundary. This integer overflow vulnerability results in either a wrapped-around small value or zero, which when used as a divisor causes the division-by-zero exception.

The fix involves changing the q_sum and q_psum variables from 32-bit to 64-bit integers, providing sufficient capacity to accumulate quantum sums without overflow risk.

Attack Vector

An attacker with sufficient privileges to configure network Quality of Service (QoS) settings can exploit this vulnerability by crafting ETS qdisc configurations with carefully chosen quantum values. When the tc (traffic control) utility is used to create or modify an ETS qdisc with parameters that cause the quantum sum to overflow, the kernel attempts to offload this configuration to hardware, triggering the vulnerable code path.

The attack chain involves:

  1. Attacker configures multiple ETS traffic classes with large quantum values
  2. The kernel's tc_modify_qdisc() function processes the configuration
  3. ets_qdisc_change() is called to apply the changes
  4. ets_offload_change() calculates WRR weights with overflowed sum
  5. Division by zero occurs, triggering kernel panic

The crash trace shows the complete call path through netlink_sendmsg → tc_modify_qdisc → ets_qdisc_change → ets_offload_change, confirming exploitation via the standard tc netlink interface.

Detection Methods for CVE-2026-23379

Indicators of Compromise

  • Kernel crash logs (dmesg) showing divide error: 0000 with RIP pointing to ets_offload_change in sch_ets module
  • System crashes or unexpected reboots when modifying network QoS configurations
  • Kernel panic messages referencing sch_ets module in the call trace

Detection Strategies

  • Monitor system logs for kernel oops messages containing references to sch_ets or ets_offload_change
  • Implement kernel crash dump analysis to identify divide-by-zero exceptions in network scheduler code
  • Deploy kernel module loading auditing to track sch_ets module usage

Monitoring Recommendations

  • Enable crash dump collection (kdump) to capture kernel state during panics for forensic analysis
  • Configure syslog alerting for kernel panic and oops messages
  • Monitor tc command usage, particularly ETS qdisc configuration changes with unusually large quantum values
  • Implement auditd rules to track netlink socket operations related to traffic control

How to Mitigate CVE-2026-23379

Immediate Actions Required

  • Apply the kernel patches from the official kernel.org stable branches immediately
  • If patching is not immediately possible, consider unloading the sch_ets module using modprobe -r sch_ets if ETS scheduling is not required
  • Restrict access to network QoS configuration capabilities to trusted administrators only
  • Monitor systems for any unusual network scheduler configuration attempts

Patch Information

The vulnerability has been fixed in multiple kernel stable branches. The fix involves upgrading the q_sum and q_psum variables from 32-bit to 64-bit integers to prevent integer overflow during quantum sum calculations.

Official patches are available from kernel.org:

  • Kernel Commit 3912871344d6
  • Kernel Commit 78b8d2f55a56
  • Kernel Commit 7dbffffd5761
  • Kernel Commit a6677e23b313
  • Kernel Commit abe1d5cb7fe1
  • Kernel Commit e35626f610f3

Workarounds

  • Unload the sch_ets kernel module if ETS scheduling functionality is not required: modprobe -r sch_ets
  • Blacklist the module to prevent automatic loading by adding blacklist sch_ets to /etc/modprobe.d/blacklist.conf
  • Restrict access to netlink sockets and traffic control utilities to prevent unauthorized QoS configuration changes
  • Implement network namespace isolation to limit the blast radius of potential exploitation attempts
bash
# Temporary mitigation: Unload sch_ets module
rmmod sch_ets

# Permanent mitigation: Blacklist the module
echo "blacklist sch_ets" >> /etc/modprobe.d/blacklist.conf

# Verify module is not loaded
lsmod | grep sch_ets

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel.org Commit Update
  • Kernel.org Commit Update
  • Kernel.org Commit Update
  • Kernel.org Commit Update
  • Kernel.org Commit Update
  • Kernel.org Commit Update
  • Related CVEs
  • CVE-2026-23398: Linux Kernel ICMP DoS Vulnerability
  • CVE-2026-23312: Linux Kernel Kaweth Driver DoS Vulnerability
  • CVE-2026-23382: Linux Kernel HID Driver DoS Vulnerability
  • CVE-2026-23385: Linux Kernel Netfilter DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English