HOMEVULNERABILITIESCVE-2026-23340
NONE

CVE-2026-23340

Published: March 25, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs

When shrinking the number of real tx queues,

netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush

qdiscs for queues which will no longer be used.

qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with

qdisc_lock(). However, for lockless qdiscs, the dequeue path is

serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so

qdisc_reset() can run concurrently with __qdisc_run() and free skbs

while they are still being dequeued, leading to UAF.

This can easily be reproduced on e.g. virtio-net by imposing heavy

traffic while frequently changing the number of queue pairs:

iperf3 -ub0 -c $peer -t 0 &

while :; do

ethtool -L eth0 combined 1

ethtool -L eth0 combined 2

done

With KASAN enabled, this leads to reports like:

BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760

...

Call Trace:

<TASK>

...

__qdisc_run+0x133f/0x1760

__dev_queue_xmit+0x248f/0x3550

ip_finish_output2+0xa42/0x2110

ip_output+0x1a7/0x410

ip_send_skb+0x2e6/0x480

udp_send_skb+0xb0a/0x1590

udp_sendmsg+0x13c9/0x1fc0

...

</TASK>

Allocated by task 1270 on cpu 5 at 44.558414s:

...

alloc_skb_with_frags+0x84/0x7c0

sock_alloc_send_pskb+0x69a/0x830

__ip_append_data+0x1b86/0x48c0

ip_make_skb+0x1e8/0x2b0

udp_sendmsg+0x13a6/0x1fc0

...

Freed by task 1306 on cpu 3 at 44.558445s:

...

kmem_cache_free+0x117/0x5e0

pfifo_fast_reset+0x14d/0x580

qdisc_reset+0x9e/0x5f0

netif_set_real_num_tx_queues+0x303/0x840

virtnet_set_channels+0x1bf/0x260 [virtio_net]

ethnl_set_channels+0x684/0xae0

ethnl_default_set_doit+0x31a/0x890

...

Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by

taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the

serialization model already used by dev_reset_queue().

Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state

reflects an empty queue, avoiding needless re-scheduling.

NVD Source

Technical Analysis

CVE-2026-23340 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23340
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23340 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.