HIGH
sched clsact Qdisc UAF
CVE-2026-23413
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon failure, the kernel will trigger the clsact_destroy() callback. Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the way how the transition is happening. If tcf_block_get_ext on the q->ingress_block ends up failing, we took the tcx_miniq_inc reference count on the ingress side, but not yet on the egress side. clsact_destroy() tests whether the {ingress,egress}_entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress_entry from the previous clsact instance. What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon clsact_destroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.
02KernelScan AI Analysis
Risk summary
A local attacker with network administration privileges can trigger a use-after-free vulnerability in the kernel's traffic control subsystem by manipulating queueing disciplines. This could lead to kernel memory corruption, system crashes, or potentially privilege escalation. The attack requires CAP_NET_ADMIN capabilities but can be executed from within containers or by users with network configuration rights.
Vulnerability analysis
Root Cause: The clsact qdisc has an init/destroy rollback asymmetry where clsact_destroy() incorrectly checks for non-NULL {ingress,egress}_entry pointers instead of verifying whether the qdisc instance-specific ingress/egress sides were actually initialized. During qdisc replacement failures, both entry pointers remain non-NULL from the previous instance, but the new instance may have only partially initialized (e.g., ingress side initialized but egress side failed during tcf_block_get_ext()). This causes clsact_destroy() to incorrectly attempt cleanup operations on uninitialized structures, leading to use-after-free when accessing freed tcx_entry objects.
Attack Surface: Local attack surface requiring CAP_NET_ADMIN privileges to manipulate network queueing disciplines. The vulnerability is triggered through netlink socket operations (tc commands) that create, replace, or destroy clsact/ingress qdiscs with shared tc blocks. Attack requires ability to create network namespaces and manipulate traffic control configurations.
Fix Mechanism: The patch introduces a new helper function mini_qdisc_pair_inited() that checks whether miniqp->p_miniq is non-NULL to determine if a mini_qdisc_pair was actually initialized. Both ingress_destroy() and clsact_destroy() are updated to use this helper instead of checking the raw entry pointers. This ensures cleanup operations only occur on properly initialized qdisc pairs, preventing access to freed memory during rollback scenarios.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.10 | 6.10 | 37bef86e5428 |
| 6.12 | 6.12.78 | 4c9af67f99aa |
| 6.18 | 6.18.20 | 0509b762bc5e |
| 6.19 | 6.19.10 | a0671125d4f5 |
| 6.6 | 6.6.130 | a73d95b57bf9 |
| mainline | 7.0 | — |