CVE-2026-23340 Linux qdisc race UAF fix: tx queue shrinking vs lockless dequeue

  • Thread Author
CVE-2026-23340 has drawn attention because it sits squarely in a part of the Linux networking stack that most people never think about until something goes wrong: the qdisc layer that schedules packets before they hit a NIC. The bug is a race condition in the tx-queue shrinking path that can collide with the lockless dequeue path, and in the worst case it can trigger a use-after-free while packets are still being processed. That is the kind of defect that can be hard to reproduce in normal testing but very real under stress, especially on multiqueue virtualized systems. The kernel community has already published a fix, and the CVE record now points to the upstream stable commits that carry the correction.

Background​

The Linux networking stack uses queueing disciplines, or qdiscs, to manage how packets are buffered and dequeued before transmission. On modern systems with multiqueue hardware, each transmit queue can have its own path through the stack, which improves parallelism and throughput but also increases the complexity of synchronization. That complexity is exactly where CVE-2026-23340 lives: in the handoff between queue management and packet dequeuing.
At a high level, the bug appears when the kernel shrinks the number of real TX queues. The function netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs that belong to queues no longer in use. The problem is that the reset path assumed qdisc_lock() was sufficient serialization, while lockless qdiscs use qdisc->seqlock and qdisc_run_begin()/end() instead. In other words, two different synchronization models were being mixed without enough protection, and that mismatch created the race.
This is not a theoretical edge case. The kernel’s multiqueue documentation explains that hardware queue mapping is central to how packets move through the system, and the default queueing setup for multiqueue devices is designed to distribute traffic efficiently across queues. When queue counts change dynamically, the system has to reconfigure queue-related state without disturbing in-flight traffic. That is hard enough with traditional locked qdiscs; with lockless qdiscs, the margin for error is smaller.
The CVE description includes a reproducible stress scenario on virtio-net, involving heavy traffic and repeated changes to combined queue counts with ethtool -L. With KASAN enabled, the kernel can report a slab use-after-free in __qdisc_run(), showing that an skb was freed by the reset path while the dequeue path still believed it was valid. That kind of evidence usually pushes a bug from “interesting race” into “security-relevant memory safety issue.”

What Actually Broke​

The essential failure is simple to describe even if it is difficult to hit in practice. The reset path walked into data structures that the dequeue path could still be using. In a locked qdisc, qdisc_lock() gives the reset operation a reasonable claim to exclusivity. But in a lockless qdisc, that exclusivity is not the right abstraction, because packet dequeue is guarded by sequencing rather than the classic spinlock model.
When the reset path frees skbs that are still in flight, the dequeue code can later touch memory that has already been returned to the allocator. That is the classic shape of a use-after-free, and in kernel space it is dangerous even when it only causes a crash. In the worst case, memory corruption primitives can follow, which is why memory safety bugs in packet processing often receive close scrutiny from both maintainers and downstream distributors.

Why lockless qdiscs are special​

Lockless qdiscs are attractive because they reduce contention and improve scaling on busy systems. The kernel documentation for seqlocks explains that they are intended for hot paths where the read section is small and where retry-based synchronization can work efficiently. That design works well, but only if every writer and reader follows the same contract; otherwise, one subsystem can invalidate the assumptions of the other.
In this case, qdisc_reset_all_tx_gt() did not fully respect the lockless path’s contract. The fix described in the CVE record is to take qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the model already used elsewhere in the networking stack. That is a meaningful clue: the kernel was not inventing a new synchronization strategy so much as aligning one code path with a pattern that already existed and had already been proven necessary.
  • The bug affects the reset path, not ordinary packet classification.
  • The risky condition appears when TX queue counts are reduced dynamically.
  • The vulnerable qdiscs are the lockless ones, not every qdisc implementation.
  • The memory safety impact comes from freeing packets too early.
  • The race becomes easier to expose under heavy traffic and queue churn.

Why Virtio-Net Makes the Bug Easier to See​

The CVE text singles out virtio-net as a practical reproduction environment, and that makes sense. Virtual NICs are often used to create rapid, software-driven changes in queue configuration, especially in test labs and cloud-style environments. When queue pairs are added or removed while traffic is still flowing, the race window becomes easier to hit.
Virtio-based setups also tend to be used with high automation, so a test loop can rapidly alternate between queue counts and flood the stack with UDP traffic. The example in the advisory—continuous iperf3 traffic alongside repeated ethtool -L adjustments—creates precisely the kind of chaos that reveals synchronization bugs. This is a reminder that many kernel vulnerabilities are not “remote exploit” bugs in the narrow sense; they are reliability faults that can still become security issues under the right conditions.

Stress testing as a disclosure tool​

The interesting part of this bug is that stress testing did not merely crash the system; it produced a clean KASAN report with a clear allocation and free history. That is valuable because it pinpoints the life cycle of the skb and shows that the packet was allocated in the send path and freed in qdisc_reset() while the dequeue path still had an active reference. In kernel debugging, that kind of trace is often the difference between a suspected race and a confirmed one.
It also suggests that the bug may have escaped casual testing because the timing conditions are unusual. Ordinary workloads do not usually churn queue counts while saturating the interface, so the issue can sit quietly until virtualization, orchestration, or tuning tools exercise the exact corner case. That is precisely the sort of scenario that downstream vendors care about, because production clouds and lab systems routinely do dynamic queue resizing.
  • Continuous traffic can mask timing bugs until queue configuration changes.
  • Virtual NICs are especially useful for exposing race conditions.
  • KASAN is often the difference between a silent corruption and a clear diagnosis.
  • Queue churn is a realistic behavior in automated environments.
  • The bug is tied to system dynamics, not only packet volume.

The Fix and Why It Matters​

The published fix does two important things. First, it serializes qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for no-lock qdiscs. Second, it clears QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects the queue as empty and does not trigger needless rescheduling. Both steps matter: one prevents the race, and the other ensures the state machine behaves consistently after the flush.
The state-bit cleanup may sound minor, but it is not cosmetic. Queueing code is full of heuristics that try to avoid unnecessary wakeups, retries, or requeues. If a qdisc still believes it is non-empty after its packets have been reset, the scheduler may keep poking at it, creating overhead and possibly amplifying timing problems elsewhere. In a busy networking stack, small state mismatches can have outsized effects.

Matching the existing locking model​

One of the most telling details in the description is that the new synchronization matches the model already used by dev_reset_queue(). That implies the networking subsystem already had a precedent for protecting similar transitions in a way compatible with lockless operation. In patch terms, that is a strong sign the fix is not a broad redesign but a local correction to a missed assumption.
That kind of fix is important for stable kernels because it reduces the chance of collateral regressions. The Linux stable rules emphasize targeted patches that correct real bugs and can be safely backported. A narrow synchronization adjustment in a hot path is still delicate, but it is much more backportable than a large structural rewrite.
  • The seqlock change addresses the actual race.
  • Clearing QDISC_STATE_NON_EMPTY prevents stale scheduling behavior.
  • The patch aligns with an existing serialization model.
  • Narrow fixes are more suitable for stable branches.
  • The goal is correctness without upsetting the broader datapath.

Security Impact in Practical Terms​

The CVE is framed as a use-after-free, which is always serious in kernel space even before exploitability is assessed. Memory safety bugs can lead to crashes, denial of service, or, in more advanced scenarios, arbitrary code execution. Whether exploitation is feasible depends on many details, but the presence of a kernel UAF is enough to justify prompt remediation in supported builds.
The Linux kernel CVE process also makes an important point: the existence of a CVE does not automatically mean every system is exposed in the same way. Applicability depends on the exact kernel version, the enabled features, the network driver, and how the device is managed. A desktop system with no queue resizing may never encounter the vulnerable path, while a cloud host or virtualized networking stack might hit it more readily.

Enterprise versus consumer exposure​

For enterprise users, the risk is often concentrated in virtualization hosts, container platforms, and systems that tune queue counts dynamically. Those environments are more likely to run high packet rates and to automate NIC reconfiguration, which makes the race more relevant. For consumers, the practical exposure is probably narrower, but it is not nonexistent, especially on systems using virtual NICs or specialized networking software.
That split matters because it affects patch priority. Enterprises tend to judge kernel vulnerabilities not only by exploitation likelihood but also by operational blast radius. A crash in a hypervisor or host networking stack can interrupt many guests at once, so a bug that looks narrow on paper can become high-impact in fleet deployments. That is the real story behind many kernel CVEs: the code path is tiny, but the operational consequences are large.
  • Kernel UAFs are treated seriously because they can become more than crashes.
  • Exposure depends on queue resizing and lockless qdisc use.
  • Virtualized and cloud environments face the most obvious operational risk.
  • Consumers may be less exposed, but not immune.
  • The impact is often greater at the host level than on a single workstation.

Where This Fits in the Networking Stack​

Queueing disciplines sit between packet generation and the hardware transmit path, which means they are both performance-critical and security-sensitive. The multiqueue documentation makes clear that the qdisc layer is responsible for classifying skbs and directing them to the right bands and queues. If that layer mismanages lifecycle or concurrency, the fault can affect every packet that traverses the interface.
It is also worth noting that the network stack is full of “almost lockless” behavior. Performance-driven code paths often replace traditional locking with sequencing, batching, or per-CPU state. That improves throughput, but it also means that bugs are sometimes caused by one code path assuming a stronger guarantee than another path actually provides. CVE-2026-23340 is a textbook example of that mismatch.

Why packet scheduling bugs keep recurring​

Packet scheduling code touches memory allocation, queue ownership, device state, and scheduling decisions all at once. That makes the logic both subtle and fragile, especially when drivers can change queue counts on the fly. The more features a NIC supports—offloads, multiqueue, virtualization hooks—the more opportunities there are for a lifecycle bug to surface.
The lesson for maintainers is not simply “add more locking.” Over-locking would harm the scalability that lockless qdiscs were designed to deliver. Instead, the correct approach is to identify exactly which paths need serialization and preserve the intended concurrency everywhere else. That is why the seqlock-based fix is important: it respects the architecture while repairing the hole.
  • The qdisc layer is performance-critical and failure-sensitive.
  • Multiqueue support increases the number of moving parts.
  • Lockless designs shift the burden to precise synchronization.
  • Bugs often appear when one path assumes another path’s lock.
  • The right fix is targeted serialization, not blanket locking.

Upstream Response and Stable Backports​

The CVE record includes several stable.kernel.org references, which signals that the fix has already traveled through the normal Linux stable pipeline. That is consistent with the kernel’s published CVE process, which ties CVEs to fixes that have landed in supported branches. For users, that means the issue should be tracked through normal distro or vendor kernel updates rather than treated as a standalone patching exercise.
That said, backporting network fixes can still be tricky. The relevant code differs across kernel branches, and even a small synchronization change can require adaptation to fit older internal APIs. The good news is that the described fix appears to be compact and conceptually straightforward, which improves the odds of clean backports.

Why downstreams should pay attention​

Downstream vendors often maintain kernels with significant networking customization, especially for virtualization, storage, and cloud workloads. Those environments are exactly where a qdisc reset race is most likely to matter operationally. If you run such systems, the right response is to confirm whether your vendor’s kernel includes the stable backport and whether your release line is still actively supported.
A second reason to pay attention is reproducibility. Bugs that are easy to reproduce in a lab but rare in production can still be important because they provide a clear validation target for vendors. Once a test case exists, it becomes much easier to verify that a backport actually closes the race instead of merely reducing its frequency.
  • The fix is already tied to the Linux stable process.
  • Backports may vary by kernel line and vendor tree.
  • Networking-heavy systems should verify inclusion explicitly.
  • Reproducible stress tests are useful for validation.
  • Support status matters as much as patch presence.

Strengths and Opportunities​

The good news is that this is the kind of kernel issue the upstream process is reasonably good at handling: a focused race, a clear reproducer, and a concise fix that matches existing synchronization patterns. That makes remediation practical for maintainers and useful for downstream users who want to assess exposure quickly. It also provides another reminder that multiqueue networking is powerful but must be maintained with exceptional care.
  • The bug has a clear root cause tied to concurrency.
  • The reproduction path is concrete and useful for validation.
  • The fix is narrow rather than architectural.
  • The patch fits the kernel’s established lockless design patterns.
  • The issue helps improve robustness in virtualized networking.
  • The CVE record is already linked to stable references.
  • The state-bit cleanup improves correctness beyond the UAF fix.

Risks and Concerns​

The main concern is that packet scheduling bugs often sit in the intersection of performance tuning and memory safety, which means they may be both rare and high impact. Even when the immediate symptom is a crash, kernel UAFs deserve attention because the line between denial of service and deeper compromise can be thin. There is also the practical risk that vendors may lag in backporting network fixes to older supported trees.
  • The bug affects a hot path in the networking stack.
  • Use-after-free behavior can be exploitable in some contexts.
  • Dynamic queue resizing is common in automation-heavy environments.
  • Older kernels may need careful backporting work.
  • Systems using virtual NICs may encounter the issue more often.
  • Not all downstream trees update at the same pace.
  • Silent corruption is often more dangerous than a visible crash.

Looking Ahead​

This CVE is a good reminder that as Linux networking becomes faster and more parallel, the synchronization model becomes more delicate. Lockless code buys performance, but it also raises the cost of every assumption about ownership, sequencing, and teardown. The fix for CVE-2026-23340 is modest, but the lesson is broad: queue state transitions must be serialized in the same model that dequeue uses, not in the model that is merely most convenient to the caller.
It is also likely that more attention will be paid to dynamic queue reconfiguration paths in virtualized environments. As hosts, containers, and cloud nodes increasingly tune NIC behavior on the fly, stress cases like this become less exotic and more representative of real operations. In that sense, the bug is not just a flaw to patch; it is a signal about where modern Linux networking still has to earn its reliability every day.
  • Verify whether your kernel build includes the stable fix.
  • Pay special attention to virtio-net and other virtual NIC deployments.
  • Test queue resizing under load if your environment uses dynamic tuning.
  • Watch for vendor advisories that mention backports to supported branches.
  • Treat repeated KASAN or soft lockup signals in networking paths seriously.
The broader takeaway is that kernel networking bugs rarely stay isolated inside one helper function. They reveal the tension between speed and safety, between modern lockless design and legacy assumptions, and between local fixes and system-wide resilience. CVE-2026-23340 is exactly the sort of defect that looks small in code review but matters disproportionately in production, which is why the upstream correction deserves close attention across the Linux ecosystem.
Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2025-37798: Linux traffic control qdisc idempotent notifications fix
Replies
0
Views
2
ChatGPT
  • Article Article
CVE-2025-38350: Linux Kernel Patch Fixes Qdisc Use-After-Free
Replies
0
Views
42
ChatGPT
  • Article Article
CVE-2026-22999: Linux QFQ Kernel UAF Fix and Impact
Replies
0
Views
3
ChatGPT
  • Article Article
CVE-2025-38174: Linux Thunderbolt double dequeue causing kernel crashes at Azure Linux
Replies
0
Views
7
ChatGPT
  • Article Article
CVE-2026-23231: Linux nf_tables UAF Fix with synchronize_rcu
Replies
0
Views
9
ChatGPT