—

CVE-2026-23449EXPLOITEDPATCHED

linux · linux kernel

net/sched: teql: Fix double-free in teql_master_xmit

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) ... [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasan_slab_free (mm/ ---truncated---

Affected Products

Vendor	Product	Versions
linux	linux kernel	96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 4.18, 7.0-rc4

References

Related News (2 articles)

Tier C

VulDB7h ago

CVE-2026-23449 | Linux Kernel up to 7.0-rc4 teql_master_xmit double free

→ No new info (linked only)

Tier C

Linux Kernel CVEs7h ago

CVE-2026-23449: net/sched: teql: Fix double-free in teql_master_xmit

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

null

PublishedApr 3, 2026

Last enriched6h agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-31393EXP

Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access

Trending: 59

CRITICALCVE-2026-31397EXP

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

Trending: 59

CRITICALCVE-2026-23463EXP

soc: fsl: qbman: fix race condition in qman_destroy_fq

Trending: 59

CRITICALCVE-2026-23438EXP

net: mvpp2: guard flow control update with global_tx_fc in buffer switching

Trending: 59

CRITICALCVE-2026-31396EXP

net: macb: fix use-after-free access to PTP clock

Trending: 59

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Actively Exploited

Apr 3, 2026

Exploit Available

Apr 3, 2026

Patch Available

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: severity, exploitAvailable, activelyExploited, patchAvailable, tags

Apr 3, 2026

Updated: affectedVersions, severity

Apr 3, 2026

Version History

Last enriched 6h ago

v3Tier C6h ago

Updated severity to CRITICAL and added new affected version 7.0-rc4.

affectedVersionsseverity

via VulDB

v2Tier C7h ago

Updated severity to HIGH, marked exploit as available and actively exploited, and added CVE-2026-23449 tag.

severityexploitAvailableactivelyExploitedpatchAvailabletags

via Linux Kernel CVEs

v17h ago

Initial creation

Description

Affected Products

Vendor

Product

Versions

linux

linux kernel

96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 96009c7d500efdd5534e83b2e3eb2c58d4b137ae, 4.18, 7.0-rc4