#VU124500 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in Linux kernel - CVE-2026-23342
Published: March 25, 2026
Vulnerability identifier: #VU124500
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23342
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service, disclose sensitive information, and potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the BPF cpumap component when handling XDP packet enqueue and flush operations on PREEMPT_RT kernels. A local user can trigger concurrent access to the per-CPU xdp_bulk_queue by exploiting preemption during critical sections, leading to race conditions that corrupt internal state and cause memory corruption.
The issue arises specifically on PREEMPT_RT kernels where local_bh_disable() does not prevent preemption, allowing multiple tasks on the same CPU to concurrently access shared data structures.
Remediation
Install security update from vendor's repository.