#VU124934 Race condition in Linux kernel - CVE-2026-23436
Published: April 6, 2026
Vulnerability identifier: #VU124934
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23436
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a remote user to cause a resource leak.
The vulnerability exists due to a race condition in the net: shaper hierarchy handling when processing netlink set operations. A remote user can send crafted netlink set operations during device unregistration to cause a resource leak.
The issue occurs when a hierarchy is created after flush has already run because the netdev may be unregistered between reference acquisition and later locking. Low privileges are required to trigger the issue.
Remediation
Install security update from vendor's repository.