Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: Enforce that teql can only be used as root qdisc

Design intent of teql is that it is only supposed to be used as root qdisc.
We need to check for that constraint.

Although not important, I will describe the scenario that unearthed this
issue for the curious.

GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:

ROOT qdisc 1:0 (QFQ)
├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
└── class 1:2 (weight=1, lmax=1514) teql

GangMin sends a packet which is enqueued to 1:1 (netem).
Any invocation of dequeue by QFQ from this class will not return a packet
until after 6.4s. In the meantime, a second packet is sent and it lands on
1:2. teql's enqueue will return success and this will activate class 1:2.
Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
peek always returns NULL), dequeue will never be called and thus the qlen
will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
qlen was not incremented, qfq fails to deactivate the class, but still
frees its pointers from the aggregate. So when the first packet is
rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
accessed causing GangMin's causing a UAF.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free in kernel traffic control
Action: Apply Patch
AI Analysis

Impact

A flaw in the Linux kernel’s traffic control subsystem permits the teql queuing discipline to be installed as a child of a root qdisc. When a packet is deferred by a parent qdisc, teql fails to update the queue length and the parent deactivates the child prematurely, leaving a dangling pointer that is dereferenced during a later dequeuing operation. This use‑after‑free condition can crash the kernel, potentially leading to a denial of service. The weakness is classified as CWE‑416 and is detectable only when privileged configuration of qdiscs is performed.

Affected Systems

All publicly available Linux kernel images are vulnerable until they are updated past the commit that enforces thteql usage as a root qdisc only. The affected releases include kernels 2.6.12 through at least 6.19, as indicated by the CPE list. The flaw exists in the kernel’s net/sched code and therefore applies to every distribution implementing the stock Linux kernel.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, yet the EPSS score is below 1%, showing a low probability of widespread exploitation in the current landscape. The vulnerability requires local or privileged kernel access to configure qdiscs; consequently an attacker with root or elevated capabilities could manipulate network traffic to trigger the use‑after‑free. Because the issue resides in kernel memory, successful exploitation could result in a kernel crash, leading to a denial of service. No public exploit is recorded and the flaw is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on April 16, 2026 at 01:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit enforcing teql usage only as a root qdisc
  • Remove or disable the teql queuing discipline if it is not required for your networking configuration
  • Restrict the creation of qdiscs to trusted users or groups, ensuring that only authorized processes can attach child qdiscs to a root qdisc

Generated by OpenCVE AI on April 16, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8142-1 Linux kernel vulnerability
Ubuntu USN Ubuntu USN USN-8143-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8145-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8149-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8143-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8145-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8145-3 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8149-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8159-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8159-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8159-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8164-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8145-4 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-6 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8145-5 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-7 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8200-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8200-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8201-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8203-1 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-8224-1 Linux kernel (BlueField) vulnerabilities
History

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.
Title net/sched: Enforce that teql can only be used as root qdisc
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:31:52.228Z

Reserved: 2026-01-13T15:37:45.958Z

Link: CVE-2026-23074

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:18.127

Modified: 2026-04-03T14:16:22.557

Link: CVE-2026-23074

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23074 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses