{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23245", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.989Z", "datePublished": "2026-03-18T10:05:07.406Z", "dateUpdated": "2026-05-11T22:03:07.821Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:07.821Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/tc_act/tc_gate.h", "net/sched/act_gate.c"], "versions": [{"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "fc98fd8d214693be91253d9a88cdf8e5e143d124", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "8b1251bbf0f10ac745ed74bad4d3b433caa1eeae", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "dfc314d7c767e350f78a46a8f8b134f80e8ad432", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "035d0d09d5ab3ed3e93d18cde2b562a6719eea23", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "04d75529dc0f9be78786162ebab7424af4644df2", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "58b162e318d0243ad2d7d92456c0873f2494c351", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "62413a9c3cb183afb9bb6e94dd68caf4e4145f4c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/tc_act/tc_gate.h", "net/sched/act_gate.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fc98fd8d214693be91253d9a88cdf8e5e143d124"}, {"url": "https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae"}, {"url": "https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432"}, {"url": "https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23"}, {"url": "https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2"}, {"url": "https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351"}, {"url": "https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c"}], "title": "net/sched: act_gate: snapshot parameters with RCU on replace", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: act_gate: instant\u00e1nea de par\u00e1metros con RCU al reemplazar\n\nLa acci\u00f3n de puerta puede ser reemplazada mientras la devoluci\u00f3n de llamada de hrtimer o la ruta de volcado est\u00e1 recorriendo la lista de programaci\u00f3n.\n\nConvertir los par\u00e1metros a una instant\u00e1nea protegida por RCU e intercambiar actualizaciones bajo tcf_lock, liberando la instant\u00e1nea anterior mediante call_rcu(). Cuando REPLACE omite la lista de entradas, preservar la programaci\u00f3n existente para que el estado efectivo permanezca inalterado."}], "id": "CVE-2026-23245", "lastModified": "2026-04-18T09:16:14.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-18T11:16:16.437", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fc98fd8d214693be91253d9a88cdf8e5e143d124"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/sched: act_gate: snapshot parameters with RCU on replace", "id": "2448593", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448593"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23245", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23245\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23245\nhttps://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23245-ac26@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a51c328df3106663879645680609eb49b3ff6444,04d75529dc0f9be78786162ebab7424af4644df2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a51c328df3106663879645680609eb49b3ff6444,58b162e318d0243ad2d7d92456c0873f2494c351)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a51c328df3106663879645680609eb49b3ff6444,62413a9c3cb183afb9bb6e94dd68caf4e4145f4c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.8,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T16:49:11.010410+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the fix for CVE\u20112026\u201123245.", "Restart the system or reload the affected modules to ensure the kernel is not holding corrupted state.", "Restrict traffic\u2011control configuration modifications to trusted administrators, preventing unprivileged users from invoking gate replacements.", "Monitor kernel logs for crashes or abnormal terminations that may indicate a kernel panic."], "summary": {"action": "Patch immediately", "impact": "Kernel crash leading to denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the act_gate implementation of net/sched. The bug targets the core Linux kernel (vendor Linux, product Linux kernel). No specific version numbers are listed, so it may affect any kernel prior to the patch commit.", "description_and_impact": "This vulnerability arises from the act_gate function in the Linux network scheduler. When the gate action is replaced while a high\u2011resolution timer callback or dump path is traversing the schedule list, the parameters are turned into an RCU\u2011protected snapshot and then swapped under tcf_lock. Because the previous snapshot is freed via call_rcu(), a race can occur that results in a use\u2011after\u2011free or memory corruption. An attacker who can control the replacement of the gate action may trigger this race, causing the kernel to crash. The weakness is associated with a race condition and use\u2011after\u2011free (CWE\u2011362, CWE\u2011416).", "risk_and_exploitability": "The CVSS score of 7.8 indicates significant impact. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require local access and the ability to manipulate traffic\u2011control configurations. An attacker with such privileges could trigger a kernel panic, causing a denial of service. No remote code execution vector is documented, so the risk is primarily to availability of affected systems."}}}}, "created": "2026-03-19T08:56:46.483232+00:00", "updated": "2026-04-02T20:23:31.727031+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-362", "CWE-416"]}