Security Vulnerability Report
中文
CVE-2026-23463 CVSS 4.7 MEDIUM

CVE-2026-23463

Published: 2026-04-03 16:16:34
Last Modified: 2026-05-20 15:25:35
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复前的稳定版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC Concept for CVE-2026-23463 * Demonstrating the race condition logic in user-space simulation. * Requires a kernel environment or specific driver interaction for real exploit. */ #include <pthread.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> volatile int fq_table[1024]; volatile int pool_available = 0; void* thread_destroy(void *arg) { int idx = 500; printf("[Thread A] Destroying FQ at idx %d\n", idx); // Simulate gen_pool_free (making ID available) pool_available = 1; // RACE WINDOW: fq_table[idx] is not NULL yet usleep(100); // Cleanup happens late fq_table[idx] = NULL; printf("[Thread A] FQ table entry set to NULL\n"); return NULL; } void* thread_create(void *arg) { usleep(50); // Ensure Thread A starts first printf("[Thread B] Trying to allocate new FQ\n"); if (pool_available) { int new_fqid = 500; int idx = new_fqid * 2; printf("[Thread B] Allocated FQID %d, checking idx %d\n", new_fqid, idx); // The Vulnerable Check: WARN_ON(fq_table[fq->idx]) if (fq_table[idx] != 0) { printf("[Thread B] !!! WARN_ON TRIGGERED !!! Race condition detected.\n"); } else { fq_table[idx] = 1; printf("[Thread B] FQ allocated successfully.\n"); } } return NULL; } int main() { fq_table[1000] = 1; // Init dummy entry pthread_t t1, t2; pthread_create(&t1, NULL, thread_destroy, NULL); pthread_create(&t2, NULL, thread_create, NULL); pthread_join(t1, NULL); pthread_join(t2, NULL); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23463", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:33.520", "lastModified": "2026-05-20T15:25:35.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between\nfq_table[fq->idx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n Thread A Thread B\n qman_destroy_fq() qman_create_fq()\n qman_release_fqid()\n qman_shutdown_fq()\n gen_pool_free()\n -- At this point, the fqid is available again --\n qman_alloc_fqid()\n -- so, we can get the just-freed fqid in thread B --\n fq->fqid = fqid;\n fq->idx = fqid * 2;\n WARN_ON(fq_table[fq->idx]);\n fq_table[fq->idx] = fq;\n fq_table[fq->idx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq->idx] is set to NULL before\ngen_pool_free() is called by using smp_wmb()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "5.10.253", "matchCriteriaId": "E1222648-5D33-4FD3-BE03-3A3C9BDEAD8A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.78", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.10", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa", "source": "416baaa9-dc9 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.