Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_gate: snapshot parameters with RCU on replace

The gate action can be replaced while the hrtimer callback or dump path is
walking the schedule list.

Convert the parameters to an RCU-protected snapshot and swap updates under
tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits
the entry list, preserve the existing schedule so the effective state is
unchanged.
Published: 2026-03-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the act_gate function in the traffic‑control subsystem can be replaced while a high‑resolution timer callback or dump routine is iterating over the scheduling list. The replacement converts parameters into an RCU‑protected snapshot and swaps them under tcf_lock, freeing the old snapshot with call_rcu(). When the REPLACE operation omits the entry list, the existing schedule is preserved but the race between the snapshot swap and the RCU cleanup can trigger a use‑after‑free or memory corruption. The identified weaknesses correspond to race conditions and use‑after‑free, and the flaw can lead to a kernel crash.

Affected Systems

All Linux kernel releases that implement the act_gate network‑scheduler action are affected. In particular, the CPE identifiers list version 5.8 and the 7.0 release candidates (rc1, rc2) as well as any kernel version that matches the generic Linux kernel CPE. Thus, systems running kernel 5.8 or newer, including current production releases, may be vulnerable if they have not applied the patch that fixes this race condition.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity impact, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The flaw is not catalogued in CISA's KEV list. Exploitation would require local access with the ability to modify traffic‑control configurations or trigger a replacement of the gate action, which is typically restricted to privileged users. Consequently, the risk is primarily limited to availability of the host, with no known remote code execution vector.

Generated by OpenCVE AI on May 21, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the patch for CVE‑2026‑23245.
  • Reboot the system or unload and reload the affected modules to clear any residual corrupted state.
  • Restrict traffic‑control configuration changes to trusted administrators, preventing unprivileged users from performing gate replacements.
  • Monitor kernel logs for signs of use‑after‑free or crashes that might indicate exploitation attempts.

Generated by OpenCVE AI on May 21, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 21 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 21 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.8:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.
Title net/sched: act_gate: snapshot parameters with RCU on replace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:07.821Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T11:16:16.437

Modified: 2026-05-21T18:47:30.370

Link: CVE-2026-23245

cve-icon Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23245 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses