Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <[email protected]> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 2.6.12.1, < 5.10.249 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380Patch
- https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767baPatch
- https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841Patch
- https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3bPatch
- https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6Patch
- https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fbPatch
- https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202cPatch
FAQ
What is CVE-2026-23074?
CVE-2026-23074 is a vulnerability with a CVSS score of 7.8 (HIGH). In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root q...
How severe is CVE-2026-23074?
CVE-2026-23074 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23074?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.