CVE-2026-23074 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Enforce that teql can only be used as root qdisc
Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint.
Although not important, I will describe the scenario that unearthed this issue for the curious.
GangMin Kim <[email protected]> managed to concot a scenario as follows:
ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql
GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2026
The vulnerability described in CVE-2026-23074 represents a critical design flaw in the Linux kernel's traffic control subsystem, specifically within the teql (tunneling equalizer) qdisc implementation. This issue stems from the violation of fundamental design principles that govern how qdiscs should operate within the kernel's networking stack. The teql qdisc was originally intended to function exclusively as a root qdisc, meaning it should be the primary queueing discipline managing traffic at the top level of the traffic control hierarchy. However, the kernel implementation failed to enforce this constraint, allowing teql to be improperly configured as a child qdisc within other queueing disciplines such as QFQ (Quick Fair Queuing). This design violation creates a dangerous scenario where the qdisc's internal state management becomes inconsistent with its operational context, leading to potential memory corruption.
The technical flaw manifests in a specific race condition and state management issue that occurs when teql operates as a non-root qdisc within a hierarchical traffic control structure. When teql is improperly placed as a child qdisc, its enqueue and dequeue operations behave inconsistently with the parent qdisc's expectations. The core problem lies in how teql updates its parent's visible queue length (sch->q.qlen) only during dequeue operations, while the parent qdisc (in this case QFQ) relies on accurate queue length information for proper scheduling decisions. During normal operation, the parent qdisc's peek function returns NULL for teql, which prevents dequeue from ever being called. This creates a state where the parent qdisc believes the child queue is empty even when it contains packets, leading to incorrect queuing decisions and memory management failures.
The operational impact of this vulnerability is severe and manifests as a use-after-free (UAF) condition that can result in system instability or potential privilege escalation. The scenario described by GangMin Kim demonstrates how a carefully constructed traffic control configuration can trigger the vulnerability. When packets are enqueued to different classes within a QFQ hierarchy, with one class containing a netem delay and another containing teql, the timing of packet processing creates a race condition. The qfq_change_class function attempts to deactivate a class when its parameters change, but due to the incorrect queue length accounting, it fails to properly remove the class from the aggregate. This leaves dangling pointers in memory that are subsequently accessed when the delayed packet finally processes, resulting in undefined behavior and potential system crashes. This vulnerability directly maps to CWE-415, which describes improper handling of memory that has been freed, and aligns with ATT&CK technique T1068, which covers 'Exploitation for Privilege Escalation' through kernel-level vulnerabilities.
The resolution for this vulnerability requires strict enforcement of the design constraint that teql qdisc can only be used as a root qdisc within the kernel's traffic control framework. This enforcement mechanism must be implemented at the kernel level to prevent any configuration that would allow teql to be instantiated as a child qdisc. The fix involves adding validation checks during qdisc initialization and configuration that explicitly verify whether teql is being used as a root qdisc, rejecting any attempts to configure it otherwise. This approach aligns with security best practices for kernel-level access control and prevents the introduction of dangerous state management scenarios. The solution also reinforces the principle of least privilege by ensuring that qdisc implementations operate within their intended design boundaries, reducing the attack surface and preventing similar vulnerabilities from emerging from improper qdisc usage patterns. System administrators should ensure that all traffic control configurations comply with these design constraints and that kernel updates incorporating this fix are applied promptly to maintain system integrity and prevent exploitation of this memory corruption vulnerability.