{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23436", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.017Z", "datePublished": "2026-04-03T15:15:21.280Z", "dateUpdated": "2026-04-03T15:15:21.280Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:21.280Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect from late creation of hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThe netdev may get unregistered in between the time we take\nthe ref and the time we lock it. We may allocate the hierarchy\nafter flush has already run, which would lead to a leak.\n\nTake the instance lock in pre- already, this saves us from the race\nand removes the need for dedicated lock/unlock callbacks completely.\nAfter all, if there's any chance of write happening concurrently\nwith the flush - we're back to leaking the hierarchy.\n\nWe may take the lock for devices which don't support shapers but\nwe're only dealing with SET operations here, not taking the lock\nwould be optimizing for an error case."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["Documentation/netlink/specs/net_shaper.yaml", "net/shaper/shaper.c", "net/shaper/shaper_nl_gen.c", "net/shaper/shaper_nl_gen.h"], "versions": [{"version": "93954b40f6a4fc43226c01a15b02732f884500f1", "lessThan": "719f6784f918f9e32f3ff3b197f900e852223f9d", "status": "affected", "versionType": "git"}, {"version": "93954b40f6a4fc43226c01a15b02732f884500f1", "lessThan": "d22921727023e7852704965e935f4d1fc83a5ec9", "status": "affected", "versionType": "git"}, {"version": "93954b40f6a4fc43226c01a15b02732f884500f1", "lessThan": "d75ec7e8ba1979a1eb0b9211d94d749cdce849c8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["Documentation/netlink/specs/net_shaper.yaml", "net/shaper/shaper.c", "net/shaper/shaper_nl_gen.c", "net/shaper/shaper_nl_gen.h"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/719f6784f918f9e32f3ff3b197f900e852223f9d"}, {"url": "https://git.kernel.org/stable/c/d22921727023e7852704965e935f4d1fc83a5ec9"}, {"url": "https://git.kernel.org/stable/c/d75ec7e8ba1979a1eb0b9211d94d749cdce849c8"}], "title": "net: shaper: protect from late creation of hierarchy", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect from late creation of hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThe netdev may get unregistered in between the time we take\nthe ref and the time we lock it. We may allocate the hierarchy\nafter flush has already run, which would lead to a leak.\n\nTake the instance lock in pre- already, this saves us from the race\nand removes the need for dedicated lock/unlock callbacks completely.\nAfter all, if there's any chance of write happening concurrently\nwith the flush - we're back to leaking the hierarchy.\n\nWe may take the lock for devices which don't support shapers but\nwe're only dealing with SET operations here, not taking the lock\nwould be optimizing for an error case."}], "id": "CVE-2026-23436", "lastModified": "2026-04-03T16:16:25.257", "metrics": {}, "published": "2026-04-03T16:16:25.257", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/719f6784f918f9e32f3ff3b197f900e852223f9d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d22921727023e7852704965e935f4d1fc83a5ec9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d75ec7e8ba1979a1eb0b9211d94d749cdce849c8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[93954b40f6a4fc43226c01a15b02732f884500f1,719f6784f918f9e32f3ff3b197f900e852223f9d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[93954b40f6a4fc43226c01a15b02732f884500f1,d22921727023e7852704965e935f4d1fc83a5ec9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[93954b40f6a4fc43226c01a15b02732f884500f1,d75ec7e8ba1979a1eb0b9211d94d749cdce849c8)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:57:19.507093+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that incorporates commit 719f6784f918f9e32f3ff3b197f900e852223f9d or newer.", "Verify the applied kernel release includes the patch by checking the commit hash or reviewing the kernel source.", "If an update is not available, monitor for future kernel releases and apply the patch as soon as it is released."], "summary": {"action": "Patch", "impact": "Resource Leak"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any Linux kernel that implements the shaper subsystem and has not incorporated the fix contained in commit 719f6784f918f9e32f3ff3b197f900e852223f9d (and the associated subsequent commits). No specific kernel releases are enumerated in the vulnerability data, so all kernels prior to the inclusion of this patch are potentially affected.", "description_and_impact": "The kernel networking shaper module can lose a reference to a net device between obtaining a reference and acquiring its lock, allowing a hierarchy to be created after the device has been unregistered. This race can leave the hierarchy allocated without a valid device, resulting in a lingering allocation that is never cleaned up.", "risk_and_exploitability": "The CVSS score and EPSS metric are not supplied in the vulnerability report, and the issue is not listed in CISA\u2019s KEV catalog, so the severity and likelihood of exploitation are not quantified. The patch addresses the race condition, and no explicit attack vector is documented in the payload; therefore it cannot be determined from the data whether the flaw requires local or privileged access."}}}}, "created": "2026-04-03T21:14:02.127499+00:00", "updated": "2026-04-03T21:16:15.568607+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-362", "CWE-399"]}