{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23437", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.017Z", "datePublished": "2026-04-03T15:15:22.048Z", "dateUpdated": "2026-04-03T15:15:22.048Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:22.048Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect late read accesses to the hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThis is not proper, a conversion from a ref to a locked netdev\nmust include a liveness check (a check if the netdev hasn't been\nunregistered already). Fix the read cases (those under RCU).\nWrites needs a separate change to protect from creating the\nhierarchy after flush has already run."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/shaper/shaper.c"], "versions": [{"version": "4b623f9f0f59652ea71fcb27d60b4c3b65126dbb", "lessThan": "581eee0890a8bde44f1fb78ad3e70502a897d583", "status": "affected", "versionType": "git"}, {"version": "4b623f9f0f59652ea71fcb27d60b4c3b65126dbb", "lessThan": "348758ba74e6a348299965b16a97cfb817545cc0", "status": "affected", "versionType": "git"}, {"version": "4b623f9f0f59652ea71fcb27d60b4c3b65126dbb", "lessThan": "0f9ea7141f365b4f27226898e62220fb98ef8dc6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/shaper/shaper.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/581eee0890a8bde44f1fb78ad3e70502a897d583"}, {"url": "https://git.kernel.org/stable/c/348758ba74e6a348299965b16a97cfb817545cc0"}, {"url": "https://git.kernel.org/stable/c/0f9ea7141f365b4f27226898e62220fb98ef8dc6"}], "title": "net: shaper: protect late read accesses to the hierarchy", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect late read accesses to the hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThis is not proper, a conversion from a ref to a locked netdev\nmust include a liveness check (a check if the netdev hasn't been\nunregistered already). Fix the read cases (those under RCU).\nWrites needs a separate change to protect from creating the\nhierarchy after flush has already run."}], "id": "CVE-2026-23437", "lastModified": "2026-04-03T16:16:25.400", "metrics": {}, "published": "2026-04-03T16:16:25.400", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f9ea7141f365b4f27226898e62220fb98ef8dc6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/348758ba74e6a348299965b16a97cfb817545cc0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/581eee0890a8bde44f1fb78ad3e70502a897d583"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,581eee0890a8bde44f1fb78ad3e70502a897d583)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,348758ba74e6a348299965b16a97cfb817545cc0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,0f9ea7141f365b4f27226898e62220fb98ef8dc6)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:56:58.998625+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update from the distribution that contains the shaper liveness check fix.", "If using a custom kernel, rebuild after incorporating the patch that protects against late read accesses to the netdev hierarchy.", "As a temporary measure, disable netlink operations or the network shaper feature that triggers the vulnerable code path.", "Monitor system logs for kernel panics or signs of memory corruption that could indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Use-after-free leading to memory corruption or denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that include the unpatched shaper code are affected. Because the code resides in core kernel files, any distribution shipping such a kernel version is impacted. The issue is not limited to a specific vendor or product line.", "description_and_impact": "In the Linux kernel\u2019s network shaper, a netdev reference is taken before the device has been confirmed to be alive. The reference is later accessed in a Netlink callback under inadequate protection. This flaw can allow a use\u2011after\u2011free, which may corrupt memory and crash the kernel, potentially resulting in a denial of service or privilege escalation. The vulnerability originates from a missing liveness check when converting a reference to a locked netdev.", "risk_and_exploitability": "The CVSS score is not provided and EPSS data is unavailable, so a quantified severity cannot be stated. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a local or privileged user sending crafted Netlink messages to trigger the problematic path. If exploited, the attacker could force a kernel crash or achieve code execution at ring\u00a00. The risk is significant for exposed systems until the patch is applied."}}}}, "created": "2026-04-03T21:14:01.149440+00:00", "updated": "2026-04-03T21:16:14.562001+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}