CVE-2026-23413 Overview
A use-after-free vulnerability has been identified in the Linux kernel's clsact qdisc implementation. The flaw exists in the init/destroy rollback asymmetry handling, where improper reference counting during initialization failure and subsequent cleanup leads to memory corruption conditions. When a clsact qdisc replacement fails midway through initialization, the destroy callback improperly accesses memory that may have already been freed or belongs to a previous clsact instance.
Critical Impact
Successful exploitation of this use-after-free vulnerability could allow local attackers with sufficient privileges to cause system instability, denial of service, or potentially achieve privilege escalation through kernel memory corruption.
Affected Products
- Linux Kernel (multiple versions with clsact qdisc support)
- Linux distributions using affected kernel versions with Traffic Control (tc) subsystem enabled
- Systems utilizing BPF/tcx functionality with clsact qdisc
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-23413 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-23413
Vulnerability Analysis
The vulnerability resides in the clsact qdisc module of the Linux kernel's network Traffic Control subsystem. The clsact qdisc is responsible for managing ingress and egress traffic classification, often used in conjunction with BPF programs for packet processing.
The clsact_init() function initializes the ingress component first, then proceeds to initialize the egress component. During this two-stage initialization, tcf_block_get_ext() is called for each direction. If this function fails during egress initialization (after ingress has been successfully initialized), the kernel triggers clsact_destroy() for cleanup.
The root cause lies in how clsact_destroy() determines what needs to be cleaned up. Prior to the fix, the destroy function checked whether {ingress,egress}_entry pointers were non-NULL to decide whether to release resources. However, during a replacement scenario where a new clsact instance fails midway, both entry pointers could be non-NULL—with the egress_entry actually pointing to a valid entry from the previous clsact instance rather than the partially-initialized new instance.
This creates a use-after-free scenario where the destroy callback may attempt to decrement reference counts or release resources that either don't belong to the current instance or have already been freed.
Root Cause
The vulnerability stems from an incorrect assumption in the clsact_destroy() callback. The function used non-NULL pointer checks on ingress_entry and egress_entry to determine initialization state, but these checks are insufficient during qdisc replacement failures. As noted in commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry"), the transition handling between old and new clsact instances can result in the entry pointers referencing the previous instance's data even when the new instance initialization failed partway through.
The fix introduces a helper function mini_qdisc_pair_inited() that accurately tracks whether the qdisc instance-specific ingress or egress side was actually initialized, ensuring proper cleanup only of resources that belong to the failing instance.
Attack Vector
Exploitation requires local access with privileges to manipulate network qdisc configurations via the Traffic Control (tc) interface. An attacker would need to:
- Create a clsact qdisc on a network interface
- Trigger a replacement operation for the clsact qdisc
- Cause the replacement to fail midway through initialization (e.g., by exhausting resources or triggering an error in tcf_block_get_ext())
- Exploit the resulting memory corruption from the improper cleanup
The vulnerability mechanism can be understood through the initialization flow where clsact_init() first calls tcx_miniq_inc() for ingress, then attempts the same for egress. If the egress initialization fails via tcf_block_get_ext(), the subsequent clsact_destroy() call would incorrectly attempt to clean up the egress entry from the previous instance.
Detection Methods for CVE-2026-23413
Indicators of Compromise
- Unexpected kernel panics or crashes related to the Traffic Control (tc) subsystem or clsact qdisc operations
- Kernel log messages indicating use-after-free conditions in the networking stack, particularly mentioning clsact_destroy or tcf_block functions
- KASAN (Kernel Address Sanitizer) reports highlighting memory access violations in qdisc-related code paths
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test systems to detect use-after-free conditions during qdisc operations
- Monitor kernel logs for oops messages or warnings related to Traffic Control subsystem components
- Implement audit rules for tc command executions that modify qdisc configurations
- Deploy kernel live patching solutions to detect and alert on unpatched kernel versions
Monitoring Recommendations
- Configure syslog monitoring for kernel panic events and networking subsystem errors
- Monitor system stability metrics for unexpected increases in kernel-level crashes or restarts
- Track tc command usage patterns for anomalous qdisc manipulation activity
- Enable eBPF tracing on clsact_init and clsact_destroy functions for detailed debugging if exploitation is suspected
How to Mitigate CVE-2026-23413
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix introducing the mini_qdisc_pair_inited() helper function
- Review system configurations for unnecessary use of clsact qdisc and disable if not required
- Restrict access to the tc command and netlink socket operations to trusted administrators only
- Enable kernel security features such as KASLR and SMAP/SMEP to reduce exploitation potential
Patch Information
The fix has been committed to the Linux kernel stable tree. Multiple commits address this vulnerability across different kernel branches:
- Kernel Commit 0509b762bc5e
- Kernel Commit 37bef86e5428
- Kernel Commit 4c9af67f99aa
- Kernel Commit a0671125d4f5
- Kernel Commit a73d95b57bf9
The patches add a mini_qdisc_pair_inited() helper function that properly tracks the initialization state of each qdisc direction, ensuring clsact_destroy() only releases resources that were actually initialized by the current instance.
Workarounds
- Limit access to the Traffic Control (tc) interface to highly privileged users via system hardening and access controls
- Avoid frequent clsact qdisc replacement operations in production environments until patched
- Consider using alternative qdisc types if clsact functionality is not essential for your network configuration
- Deploy mandatory access control policies (SELinux, AppArmor) restricting network configuration changes
# Restrict tc command access to root only
chmod 750 /sbin/tc
chown root:root /sbin/tc
# Audit tc command usage
auditctl -a always,exit -F path=/sbin/tc -F perm=x -k tc_usage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
