HIGH
net/sched Gate Race
CVE-2026-23245
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.
02KernelScan AI Analysis
Risk summary
Local users with CAP_NET_ADMIN can trigger a race condition in the gate action scheduler that leads to use-after-free conditions. This could result in kernel memory corruption, privilege escalation, or system crashes when gate action parameters are replaced concurrently with timer callbacks or dump operations.
Vulnerability analysis
The vulnerability is a use-after-free in the gate action (act_gate) traffic control module. The root cause is a race condition where gate action parameters can be replaced via netlink while hrtimer callbacks or dump operations are concurrently accessing the schedule list. The original code directly modified and freed gate entry lists without RCU protection, allowing concurrent readers to access freed memory. The fix converts the parameters to RCU-protected snapshots, using rcu_replace_pointer() for updates and call_rcu() for safe deallocation, ensuring that concurrent readers see consistent state even during parameter replacement.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | fc98fd8d2146 |
| 6.1 | 6.1.167 | 8b1251bbf0f1 |
| 6.12 | 6.12.78 | 035d0d09d5ab |
| 6.18 | 6.18.18 | 04d75529dc0f |
| 6.19 | 6.19.8 | 58b162e318d0 |
| 6.6 | 6.6.130 | dfc314d7c767 |
| mainline | 7.0 | 62413a9c3cb1 |