HIGH Published 2026-04-03

net/shaper Hierarchy Race

CVE-2026-23437

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI5.3MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. This is not proper, a conversion from a ref to a locked netdev must include a liveness check (a check if the netdev hasn't been unregistered already). Fix the read cases (those under RCU). Writes needs a separate change to protect from creating the hierarchy after flush has already run.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free race condition in the network shaper subsystem allows local attackers with CAP_NET_ADMIN (obtainable via user namespace on default kernels) to trigger kernel crashes or leak kernel heap information. The vulnerability occurs when Netlink read operations access the shaper hierarchy after a network device has been unregistered, because the code fails to perform a liveness check under RCU.

Affectednet/shaper/shaper.c (network traffic shaper)

Vulnerability analysis

The vulnerability stems from a TOCTOU race in the network shaper Netlink get/lookup paths. During Netlink message preparation, a netdev reference is obtained. Later, under RCU read-side lock, the code dereferences netdev->net_shaper_hierarchy without verifying the device is still registered. If the netdev is unregistered and its hierarchy freed in the interim, this results in a use-after-free read. The fix introduces net_shaper_hierarchy_rcu(), which validates reg_state <= NETREG_REGISTERED before accessing the hierarchy. Because CAP_NET_ADMIN is available within user and network namespaces on default kernels, the attack surface extends to unprivileged local users. Successful exploitation can leak slab memory (C:Low) and will typically cause a kernel panic (A:High).

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.20	`581eee0890a8`
6.19	6.19.10	`348758ba74e6`
mainline	7.0	`0f9ea7141f36`