CVE-2026-23413

EPSS 0.02%
Veröffentlicht 02.04.2026 11:40:54
Zuletzt bearbeitet 27.04.2026 14:16:31
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

clsact: Fix use-after-free in init/destroy rollback asymmetry

In the Linux kernel, the following vulnerability has been resolved:

clsact: Fix use-after-free in init/destroy rollback asymmetry

Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.
The latter is achieved by first fully initializing a clsact instance, and
then in a second step having a replacement failure for the new clsact qdisc
instance. clsact_init() initializes ingress first and then takes care of the
egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon
failure, the kernel will trigger the clsact_destroy() callback.

Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the
way how the transition is happening. If tcf_block_get_ext on the q->ingress_block
ends up failing, we took the tcx_miniq_inc reference count on the ingress
side, but not yet on the egress side. clsact_destroy() tests whether the
{ingress,egress}_entry was non-NULL. However, even in midway failure on the
replacement, both are in fact non-NULL with a valid egress_entry from the
previous clsact instance.

What we really need to test for is whether the qdisc instance-specific ingress
or egress side previously got initialized. This adds a small helper for checking
the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon
clsact_destroy() in order to fix the use-after-free scenario. Convert the
ingress_destroy() side as well so both are consistent to each other.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 13 VulnDex Vulnerability Enrichment 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.6.41 < 6.6.130

Linux ≫ Linux Kernel Version >= 6.9.10 < 6.10

Linux ≫ Linux Kernel Version >= 6.10.1 < 6.12.78

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.20

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.10

Linux ≫ Linux Kernel Version6.10 Update-

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

Linux ≫ Linux Kernel Version7.0 Updaterc6

Linux ≫ Linux Kernel Version7.0 Updaterc7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.034

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/a73d95b57bf9faebdfed591bcb7ed9292062a84c

Patch

https://git.kernel.org/stable/c/37bef86e5428d59f70a4da82b80f9a8f252fecbe

Patch

https://git.kernel.org/stable/c/4c9af67f99aa3e51b522c54968ab3ac8272be41c

Patch

https://git.kernel.org/stable/c/0509b762bc5e8ea7b8391130730c6d8502fc6e69

Patch

https://git.kernel.org/stable/c/a0671125d4f55e1e98d9bde8a0b671941987e208

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-23413

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23413

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23413

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23413