Bug 2454831 (CVE-2026-23436) - CVE-2026-23436 kernel: net: shaper: protect from late creation of hierarchy
Summary: CVE-2026-23436 kernel: net: shaper: protect from late creation of hierarchy
Keywords:
Status: NEW
Alias: CVE-2026-23436
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-03 16:03 UTC by OSIDB Bzimport
Modified: 2026-04-03 18:35 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-03 16:03:09 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: shaper: protect from late creation of hierarchy

We look up a netdev during prep of Netlink ops (pre- callbacks)
and take a ref to it. Then later in the body of the callback
we take its lock or RCU which are the actual protections.

The netdev may get unregistered in between the time we take
the ref and the time we lock it. We may allocate the hierarchy
after flush has already run, which would lead to a leak.

Take the instance lock in pre- already, this saves us from the race
and removes the need for dedicated lock/unlock callbacks completely.
After all, if there's any chance of write happening concurrently
with the flush - we're back to leaking the hierarchy.

We may take the lock for devices which don't support shapers but
we're only dealing with SET operations here, not taking the lock
would be optimizing for an error case.
Comment 1 Jon Moroney 2026-04-03 18:33:27 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040312-CVE-2026-23436-f1f8@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.