CVE-2026-23245 - Vulnerability Details

- net/sched: act_gate: snapshot parameters with RCU on replace

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_gate: snapshot parameters with RCU on replace

The gate action can be replaced while the hrtimer callback or dump path is
walking the schedule list.

Convert the parameters to an RCU-protected snapshot and swap updates under
tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits
the entry list, preserve the existing schedule so the effective state is
unchanged.

Published: 2026-03-18

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from the act_gate function in the Linux network scheduler. When the gate action is replaced while a high‑resolution timer callback or dump path is traversing the schedule list, the parameters are turned into an RCU‑protected snapshot and then swapped under tcf_lock. Because the previous snapshot is freed via call_rcu(), a race can occur that results in a use‑after‑free or memory corruption. An attacker who can control the replacement of the gate action may trigger this race, causing the kernel to crash. The weakness is associated with a race condition and use‑after‑free (CWE‑362, CWE‑416).

Affected Systems

All Linux kernel releases that include the act_gate implementation of net/sched. The bug targets the core Linux kernel (vendor Linux, product Linux kernel). No specific version numbers are listed, so it may affect any kernel prior to the patch commit.

Risk and Exploitability

The CVSS score of 7.8 indicates significant impact. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require local access and the ability to manipulate traffic‑control configurations. An attacker with such privileges could trigger a kernel panic, causing a denial of service. No remote code execution vector is documented, so the risk is primarily to availability of affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a51c328df3106663879645680609eb49b3ff6444`	affected	< 8b1251bbf0f10ac745ed74bad4d3b433caa1eeae
`a51c328df3106663879645680609eb49b3ff6444`	affected	< dfc314d7c767e350f78a46a8f8b134f80e8ad432
`a51c328df3106663879645680609eb49b3ff6444`	affected	< 035d0d09d5ab3ed3e93d18cde2b562a6719eea23
`a51c328df3106663879645680609eb49b3ff6444`	affected	< 04d75529dc0f9be78786162ebab7424af4644df2
`a51c328df3106663879645680609eb49b3ff6444`	affected	< 58b162e318d0243ad2d7d92456c0873f2494c351
`a51c328df3106663879645680609eb49b3ff6444`	affected	< 62413a9c3cb183afb9bb6e94dd68caf4e4145f4c

Linux

affected

Version	Status	Constraints
`5.8`	affected	—
`0`	unaffected	< 5.8
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.18`	unaffected	≤ 6.18.*
`6.19.8`	unaffected	≤ 6.19.*
`7.0-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a51c328df3106663879645680609eb49b3ff6444,04d75529dc0f9be78786162ebab7424af4644df2)`	affected	code_commit	—
`[a51c328df3106663879645680609eb49b3ff6444,58b162e318d0243ad2d7d92456c0873f2494c351)`	affected	code_commit	—
`[a51c328df3106663879645680609eb49b3ff6444,62413a9c3cb183afb9bb6e94dd68caf4e4145f4c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.8`	affected	generic	—
`[0,5.8)`	unaffected	generic	—
`[6.18.18,6.19.0)`	unaffected	semver	—
`[6.19.8,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the fix for CVE‑2026‑23245.
Restart the system or reload the affected modules to ensure the kernel is not holding corrupted state.
Restrict traffic‑control configuration modifications to trusted administrators, preventing unprivileged users from invoking gate replacements.
Monitor kernel logs for crashes or abnormal terminations that may indicate a kernel panic.

Generated by OpenCVE AI on April 2, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23
https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2
https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351
https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c
https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae
https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432
https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23245-ac26@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23245
https://www.cve.org/CVERecord?id=CVE-2026-23245

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23 https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432

Tue, 24 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23245-ac26@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23245 https://www.cve.org/CVERecord?id=CVE-2026-23245

Wed, 18 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.
Title		net/sched: act_gate: snapshot parameters with RCU on replace
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2 https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351 https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T10:05:07.406Z

Updated: 2026-04-02T14:43:57.805Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23245

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:16.437

Modified: 2026-04-02T15:16:26.710

Link: CVE-2026-23245

Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23245 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:23:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object