{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23245", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.989Z", "datePublished": "2026-03-18T10:05:07.406Z", "dateUpdated": "2026-03-25T10:20:33.436Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:20:33.436Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/tc_act/tc_gate.h", "net/sched/act_gate.c"], "versions": [{"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "8b1251bbf0f10ac745ed74bad4d3b433caa1eeae", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "dfc314d7c767e350f78a46a8f8b134f80e8ad432", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "035d0d09d5ab3ed3e93d18cde2b562a6719eea23", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "04d75529dc0f9be78786162ebab7424af4644df2", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "58b162e318d0243ad2d7d92456c0873f2494c351", "status": "affected", "versionType": "git"}, {"version": "a51c328df3106663879645680609eb49b3ff6444", "lessThan": "62413a9c3cb183afb9bb6e94dd68caf4e4145f4c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/tc_act/tc_gate.h", "net/sched/act_gate.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.18", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.8", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.18.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.19.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae"}, {"url": "https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432"}, {"url": "https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23"}, {"url": "https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2"}, {"url": "https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351"}, {"url": "https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c"}], "title": "net/sched: act_gate: snapshot parameters with RCU on replace", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: act_gate: instant\u00e1nea de par\u00e1metros con RCU al reemplazar\n\nLa acci\u00f3n de puerta puede ser reemplazada mientras la devoluci\u00f3n de llamada de hrtimer o la ruta de volcado est\u00e1 recorriendo la lista de programaci\u00f3n.\n\nConvertir los par\u00e1metros a una instant\u00e1nea protegida por RCU e intercambiar actualizaciones bajo tcf_lock, liberando la instant\u00e1nea anterior mediante call_rcu(). Cuando REPLACE omite la lista de entradas, preservar la programaci\u00f3n existente para que el estado efectivo permanezca inalterado."}], "id": "CVE-2026-23245", "lastModified": "2026-03-25T11:16:20.430", "metrics": {}, "published": "2026-03-18T11:16:16.437", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/035d0d09d5ab3ed3e93d18cde2b562a6719eea23"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/04d75529dc0f9be78786162ebab7424af4644df2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58b162e318d0243ad2d7d92456c0873f2494c351"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/62413a9c3cb183afb9bb6e94dd68caf4e4145f4c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b1251bbf0f10ac745ed74bad4d3b433caa1eeae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dfc314d7c767e350f78a46a8f8b134f80e8ad432"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/sched: act_gate: snapshot parameters with RCU on replace", "id": "2448593", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448593"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23245", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23245\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23245\nhttps://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23245-ac26@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a51c328df3106663879645680609eb49b3ff6444,04d75529dc0f9be78786162ebab7424af4644df2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a51c328df3106663879645680609eb49b3ff6444,58b162e318d0243ad2d7d92456c0873f2494c351)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a51c328df3106663879645680609eb49b3ff6444,62413a9c3cb183afb9bb6e94dd68caf4e4145f4c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.8"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.8)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.18,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.8,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-27T21:25:52.399100+00:00", "value": {"mitigation_remediation": ["Update the system to a Linux kernel version that includes the commit that fixes this race condition.", "If a patch is not immediately available, disable the act_gate action by removing or modifying traffic\u2011control configurations that rely on it.", "Monitor system logs for kernel panics or unusual crashes that may indicate exploitation attempts."], "summary": {"action": "Immediate patch", "impact": "Potential kernel crash or privilege escalation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the act_gate scheduler action and have not been patched with the change cited in the kernel commits are affected. The issue is present in the Linux:Linux vendor builds. No specific version numbers are given in the advisory, so any kernel built from the mainline source prior to the indicated fix should be considered at risk.", "description_and_impact": "This vulnerability is a race condition in the Linux kernel's traffic control subsystem. The act_gate action can be replaced while the hrtimer callback or dump path is walking the schedule list, converting parameters to an RCU\u2011protected snapshot and swapping them under lock, but freeing the previous snapshot via call_rcu while it may still be referenced. This can lead to a use\u2011after\u2011free scenario that corrupts memory and may crash the kernel or provide a vector for privilege escalation. The weakness is a concurrency error that can result in memory corruption.", "risk_and_exploitability": "The reported exploit probability is below 1% and the vulnerability is not in CISA\u2019s KEV catalog. The potential impact is critical: a kernel crash or memory corruption could grant elevated privileges to an attacker. The likely attack vector is through network traffic that exercises the act_gate action; a local user capable of inserting or replacing traffic\u2011control elements could also trigger the race. Mitigation requires applying a patched kernel; until then, avoiding the use of act_gate or disabling the relevant traffic\u2011control path mitigates risk."}}}}, "created": "2026-03-19T08:56:46.483232+00:00", "updated": "2026-03-29T20:29:05.124192+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}