Description
In the Linux kernel, the following vulnerability has been resolved:

net: shaper: protect from late creation of hierarchy

We look up a netdev during prep of Netlink ops (pre- callbacks)
and take a ref to it. Then later in the body of the callback
we take its lock or RCU which are the actual protections.

The netdev may get unregistered in between the time we take
the ref and the time we lock it. We may allocate the hierarchy
after flush has already run, which would lead to a leak.

Take the instance lock in pre- already, this saves us from the race
and removes the need for dedicated lock/unlock callbacks completely.
After all, if there's any chance of write happening concurrently
with the flush - we're back to leaking the hierarchy.

We may take the lock for devices which don't support shapers but
we're only dealing with SET operations here, not taking the lock
would be optimizing for an error case.
Published: 2026-04-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak
Action: Patch Now
AI Analysis

Impact

The Linux kernel network shaper subsystem contains a race condition that allows a hierarchy structure to be allocated after a system flush has already finished, which leaks memory. The flaw arises because a network device reference is taken during the preparation of Netlink SET operations but the necessary lock is not acquired until later. If the device is unregistered in the meanwhile, the hierarchy allocation may occur after the flush, leaving references that are never freed. A leak of this nature can gradually exhaust kernel memory and potentially destabilize the system. The weakness is a classic race condition as identified by CWE‑367.

Affected Systems

All Linux kernel builds that include the net: shaper code path and do not implement the pre‑locking change are vulnerable. This includes generic kernel releases up to 6.13 and the 7.0 release candidates (RC1 through RC7) that are still using the unpatched path. Distributions distributing these kernels without applying the patch are affected.

Risk and Exploitability

The CVSS score is 5.5, reflecting moderate severity. The EPSS score of < 1 % indicates that the probability of exploitation in the wild is very low, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need local or privileged access to craft Netlink SET requests while a device is concurrently being unregistered or otherwise modified. Successful exploitation would mainly lead to memory leaks and, over time, could degrade performance or crash the kernel, but it does not directly provide code execution or privilege escalation.

Generated by OpenCVE AI on April 28, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patched net: shaper subsystem
  • Review the changelog or vendor advisories to confirm that the pre‑locking change is present
  • If an immediate upgrade is not possible, avoid creating or modifying shapers during periods of device churn and monitor system logs for abnormal memory usage patterns
  • When a patch is applied, perform kernel memory inspection to ensure that any previously allocated hierarchy objects are reclaimed

Generated by OpenCVE AI on April 28, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-399

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-399

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect from late creation of hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. The netdev may get unregistered in between the time we take the ref and the time we lock it. We may allocate the hierarchy after flush has already run, which would lead to a leak. Take the instance lock in pre- already, this saves us from the race and removes the need for dedicated lock/unlock callbacks completely. After all, if there's any chance of write happening concurrently with the flush - we're back to leaking the hierarchy. We may take the lock for devices which don't support shapers but we're only dealing with SET operations here, not taking the lock would be optimizing for an error case.
Title net: shaper: protect from late creation of hierarchy
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:06:52.320Z

Reserved: 2026-01-13T15:37:46.017Z

Link: CVE-2026-23436

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:25.257

Modified: 2026-04-23T20:59:33.860

Link: CVE-2026-23436

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23436 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:00:14Z

Weaknesses