CVE-2026-23449 Overview
CVE-2026-23449 is a double-free vulnerability in the Linux kernel's TEQL (True Link Equalizer) network scheduler subsystem. The vulnerability exists in the teql_master_xmit function within net/sched/sch_teql.c, where improper synchronization when calling qdisc_reset on devices with lockless Qdisc configurations can lead to race conditions with the datapath.
When a TEQL device has a lockless Qdisc as its root, the qdisc_reset function should be called while holding the seq_lock to prevent concurrent access issues. Without this synchronization, multiple code paths can free the same socket buffer (skb) memory, resulting in a double-free condition that can cause kernel crashes and potentially be exploited for privilege escalation.
Critical Impact
This double-free vulnerability in the Linux kernel network scheduler can cause system crashes and may potentially be leveraged for local privilege escalation on affected systems.
Affected Products
- Linux kernel with TEQL (sch_teql) network scheduler enabled
- Linux kernel versions with lockless Qdisc support
- Systems using traffic equalization features in network configurations
Discovery Timeline
- April 3, 2026 - CVE-2026-23449 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23449
Vulnerability Analysis
The vulnerability resides in the TEQL network scheduler module, specifically in how qdisc_reset is invoked during queue discipline teardown operations. The TEQL subsystem provides traffic equalization across multiple network interfaces, allowing packet distribution for load balancing purposes.
When a TEQL device is configured with a lockless Qdisc as its root scheduler, a race condition can occur between the reset path and the data transmission path (teql_master_xmit). The crash trace reveals that during teql_destroy, the qdisc_reset function is called which triggers pfifo_fast_reset. This reset operation iterates through queued packets and frees them. However, without proper locking via seq_lock, the datapath may simultaneously access and free the same socket buffer, resulting in a double-free in skb_release_data.
The KASAN (Kernel Address Sanitizer) output demonstrates this clearly, showing a double-free detected at skb_release_data (net/core/skbuff.c:1139) where the same memory address (ffff88810c67ec00) is freed twice—first by task 299 and then again by task 318 (poc_teql_uaf_ke).
Root Cause
The root cause is missing synchronization in the TEQL scheduler's reset path. When qdisc_reset is called during teql_destroy, it does not acquire the seq_lock before iterating through and freeing queued packets. This allows the datapath (running on a different CPU) to concurrently access and free packets from the same queue, leading to a double-free condition.
The fix requires that qdisc_reset operations on TEQL devices with lockless Qdisc configurations be performed while holding the appropriate spinlock to serialize access between the reset and datapath code paths.
Attack Vector
The vulnerability can be triggered locally by manipulating network scheduler configurations. An attacker with the ability to configure network interfaces and queue disciplines could create conditions that trigger the race:
- Configure a TEQL device with a lockless Qdisc (such as pfifo_fast) as root
- Generate network traffic through the TEQL device
- Trigger a Qdisc replacement or destruction operation while traffic is in flight
- The race between packet transmission and queue reset causes the double-free
The crash trace shows this can be triggered via tc_get_qdisc operations, suggesting that netlink-based traffic control commands can be used to manipulate the scheduler state and trigger the vulnerability.
Detection Methods for CVE-2026-23449
Indicators of Compromise
- Kernel crash logs containing "BUG: KASAN: double-free in skb_release_data"
- System crashes in teql_destroy or teql_master_xmit functions
- KASAN reports indicating double-free conditions in net/core/skbuff.c
- Unexpected system reboots when performing traffic control operations on TEQL devices
Detection Strategies
- Monitor kernel logs for KASAN double-free reports involving skb_release_data or TEQL-related functions
- Deploy runtime memory corruption detection tools (KASAN, KFENCE) on systems using TEQL schedulers
- Review traffic control configurations for TEQL devices with lockless Qdisc setups
- Use kernel tracing to monitor qdisc_reset and teql_destroy function calls
Monitoring Recommendations
- Enable KASAN in development and testing environments to detect memory corruption early
- Monitor /var/log/kern.log and dmesg output for double-free or use-after-free reports
- Implement automated alerting on kernel panic events related to network scheduler subsystems
- Track tc command executions that modify TEQL device configurations
How to Mitigate CVE-2026-23449
Immediate Actions Required
- Apply the official kernel patches from the Linux kernel stable branches
- Disable TEQL network scheduler (sch_teql) if not actively required
- Restrict access to traffic control (tc) commands to trusted administrators only
- Consider blacklisting the sch_teql kernel module until patched
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that qdisc_reset is called while holding the seq_lock when dealing with TEQL devices that have lockless Qdisc configurations.
Multiple patches are available across different kernel stable branches:
- Kernel Git Commit 21c89a0
- Kernel Git Commit 4a23344
- Kernel Git Commit 4e8ebc4
- Kernel Git Commit 6636046
- Kernel Git Commit afbc79a
- Kernel Git Commit e9c66d3
Workarounds
- Blacklist the sch_teql module by adding blacklist sch_teql to /etc/modprobe.d/blacklist.conf
- Remove existing TEQL configurations using tc qdisc del dev <interface> root teql0
- Restrict unprivileged user access to network namespace and traffic control capabilities
- Use alternative load balancing mechanisms such as bonding or team drivers
# Disable TEQL module loading
echo "blacklist sch_teql" >> /etc/modprobe.d/blacklist-teql.conf
echo "install sch_teql /bin/false" >> /etc/modprobe.d/blacklist-teql.conf
# Unload module if currently loaded
modprobe -r sch_teql
# Remove any existing TEQL configurations
tc qdisc del dev eth0 root teql0 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
