CVE-2026-23437 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: shaper: protect late read accesses to the hierarchy

We look up a netdev during prep of Netlink ops (pre- callbacks)
and take a ref to it. Then later in the body of the callback
we take its lock or RCU which are the actual protections.

This is not proper, a conversion from a ref to a locked netdev
must include a liveness check (a check if the netdev hasn't been
unregistered already). Fix the read cases (those under RCU).
Writes needs a separate change to protect from creating the
hierarchy after flush has already run.

Published: 2026-04-03

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s network shaper, a netdev reference is taken before the device has been confirmed to be alive. The reference is later accessed in a Netlink callback under inadequate protection. This flaw can allow a use‑after‑free, which may corrupt memory and crash the kernel, potentially resulting in a denial of service or privilege escalation. The vulnerability originates from a missing liveness check when converting a reference to a locked netdev.

Affected Systems

All Linux kernel versions that include the unpatched shaper code are affected. Because the code resides in core kernel files, any distribution shipping such a kernel version is impacted. The issue is not limited to a specific vendor or product line.

Risk and Exploitability

The CVSS score is not provided and EPSS data is unavailable, so a quantified severity cannot be stated. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a local or privileged user sending crafted Netlink messages to trigger the problematic path. If exploited, the attacker could force a kernel crash or achieve code execution at ring 0. The risk is significant for exposed systems until the patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4b623f9f0f59652ea71fcb27d60b4c3b65126dbb`	affected	< 581eee0890a8bde44f1fb78ad3e70502a897d583
`4b623f9f0f59652ea71fcb27d60b4c3b65126dbb`	affected	< 348758ba74e6a348299965b16a97cfb817545cc0
`4b623f9f0f59652ea71fcb27d60b4c3b65126dbb`	affected	< 0f9ea7141f365b4f27226898e62220fb98ef8dc6

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,581eee0890a8bde44f1fb78ad3e70502a897d583)`	affected	code_commit	—
`[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,348758ba74e6a348299965b16a97cfb817545cc0)`	affected	code_commit	—
`[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,0f9ea7141f365b4f27226898e62220fb98ef8dc6)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	generic	—
`[0,6.13)`	unaffected	generic	—
`[6.18.20,6.19.0)`	unaffected	generic	—
`[6.19.10,6.20.0)`	unaffected	generic	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update from the distribution that contains the shaper liveness check fix.
If using a custom kernel, rebuild after incorporating the patch that protects against late read accesses to the netdev hierarchy.
As a temporary measure, disable netlink operations or the network shaper feature that triggers the vulnerable code path.
Monitor system logs for kernel panics or signs of memory corruption that could indicate exploitation attempts.

Generated by OpenCVE AI on April 3, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f9ea7141f365b4f27226898e62220fb98ef8dc6
https://git.kernel.org/stable/c/348758ba74e6a348299965b16a97cfb817545cc0
https://git.kernel.org/stable/c/581eee0890a8bde44f1fb78ad3e70502a897d583
https://lore.kernel.org/linux-cve-announce/2026040312-CVE-2026-23437-9787@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23437
https://www.cve.org/CVERecord?id=CVE-2026-23437

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026040312-CVE-2026-23437-9787@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23437 https://www.cve.org/CVERecord?id=CVE-2026-23437
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. This is not proper, a conversion from a ref to a locked netdev must include a liveness check (a check if the netdev hasn't been unregistered already). Fix the read cases (those under RCU). Writes needs a separate change to protect from creating the hierarchy after flush has already run.
Title		net: shaper: protect late read accesses to the hierarchy
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0f9ea7141f365b4f27226898e62220fb98ef8dc6 https://git.kernel.org/stable/c/348758ba74e6a348299965b16a97cfb817545cc0 https://git.kernel.org/stable/c/581eee0890a8bde44f1fb78ad3e70502a897d583

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:22.048Z

Updated: 2026-04-03T15:15:22.048Z

Reserved: 2026-01-13T15:37:46.017Z

Link: CVE-2026-23437

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:25.400

Modified: 2026-04-03T16:16:25.400

Link: CVE-2026-23437

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23437 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:16:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object