CVE-2026-23436 Overview
A race condition vulnerability has been identified in the Linux kernel's network shaper subsystem. The flaw exists in the handling of netdev hierarchy creation during Netlink operations. When looking up a netdev during preparation of Netlink ops (pre-callbacks), the kernel takes a reference to it, but the actual protection mechanisms (lock or RCU) are only acquired later in the callback body. This timing gap allows the netdev to become unregistered between the reference acquisition and the lock acquisition, potentially leading to hierarchy allocation after flush operations have completed, resulting in a memory leak.
Critical Impact
This race condition in the Linux kernel network shaper could lead to memory leaks on affected systems, potentially causing resource exhaustion over time.
Affected Products
- Linux Kernel (net: shaper subsystem)
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23436 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23436
Vulnerability Analysis
This vulnerability represents a Time-of-Check Time-of-Use (TOCTOU) race condition in the Linux kernel's network shaper component. The fundamental issue lies in the separation between when a netdev reference is acquired and when protective locks are actually taken.
During Netlink SET operations, the kernel performs a two-phase operation: first, it looks up the target network device and increments its reference counter during the prep phase (pre-callbacks). Subsequently, in the main callback body, it acquires the instance lock or RCU protection to perform the actual shaper configuration. This temporal gap between reference acquisition and lock acquisition creates a vulnerability window.
If a netdev becomes unregistered during this window, the hierarchy flush operation may have already completed. However, because the reference is still held, subsequent code may still allocate a new hierarchy structure. Since the flush has already run, this newly allocated hierarchy becomes orphaned and is never properly freed, causing a memory leak.
Root Cause
The root cause is the insufficient synchronization between the netdev lookup phase and the actual shaper operations. The original implementation relied on the reference count alone to protect the netdev during the prep phase, deferring lock acquisition until the callback body. This design assumption failed to account for the scenario where unregistration and flush could occur in the window between these two phases.
The fix addresses this by moving instance lock acquisition to the pre-callback phase itself. This ensures that no concurrent write operations (including flush) can occur once the reference is taken, eliminating the race condition entirely. While this approach may acquire locks for devices that don't support shapers, this overhead only affects SET operations and represents an acceptable trade-off since not taking the lock would be optimizing for an error case.
Attack Vector
The attack vector for this vulnerability involves triggering concurrent netdev unregistration events while Netlink shaper operations are in progress. An attacker with sufficient privileges to perform network device operations could repeatedly trigger this race condition to cause incremental memory leaks.
The exploitation scenario involves timing the unregistration of a network device to occur precisely during the window between the netdev lookup (with reference acquisition) and the lock acquisition in the callback body. While the precise timing makes reliable exploitation challenging, sustained attempts could lead to gradual memory exhaustion on the target system.
Detection Methods for CVE-2026-23436
Indicators of Compromise
- Unexplained gradual memory consumption growth in kernel space (slab allocations)
- Increased frequency of network device registration/unregistration operations in system logs
- Memory pressure alerts without corresponding user-space memory growth
- Kernel memory leak detection tools (kmemleak) reporting orphaned shaper hierarchy structures
Detection Strategies
- Monitor kernel memory allocation patterns using /proc/slabinfo for anomalous growth in network-related caches
- Deploy kernel tracing (ftrace/eBPF) to monitor for rapid sequences of netdev registration/unregistration paired with shaper Netlink operations
- Implement alerting on sustained memory growth patterns characteristic of slow kernel memory leaks
- Use SentinelOne Singularity platform's kernel-level visibility to detect anomalous system behavior
Monitoring Recommendations
- Enable kernel memory accounting and establish baseline memory consumption for network subsystem components
- Configure alerts for memory growth exceeding normal operational thresholds
- Monitor for unusual patterns in Netlink socket activity related to network shaper configuration
- Regularly review system memory statistics on systems with high network device churn
How to Mitigate CVE-2026-23436
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this race condition
- Prioritize patching on systems with dynamic network device creation/destruction (containers, virtual networking)
- Monitor affected systems for signs of memory leaks until patches can be applied
- Consider limiting access to Netlink shaper operations where feasible
Patch Information
The vulnerability has been addressed in the Linux kernel through commits that move the instance lock acquisition to the pre-callback phase. The fix eliminates the race window by ensuring synchronization occurs before any reference to the netdev is used for shaper operations.
Patches are available through the kernel stable tree:
Workarounds
- Limit unprivileged access to network namespace operations and Netlink sockets
- Reduce frequency of dynamic network device creation/destruction where operationally feasible
- Monitor memory consumption and schedule periodic system reboots as a temporary measure to reclaim leaked memory
- Consider network isolation for systems that cannot be immediately patched
# Check current kernel version for vulnerability assessment
uname -r
# Monitor kernel memory for potential leaks
cat /proc/meminfo | grep -E "Slab|SReclaimable|SUnreclaim"
# Review network device operations in kernel logs
dmesg | grep -i "netdev\|unregister"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
