CVE-2026-23105 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability identified as CVE-2026-23105 resides within the Linux kernel's networking subsystem, specifically in the queuing discipline implementation known as qfq or Quick Fair Queuing. This patch addresses a potential security concern that could be exploited through manipulation of queue lengths within the qfq scheduling mechanism. The issue stems from the qfq implementation's reliance on child qdisc's qlen values to determine class activation status, which creates an exploitable condition that adversaries could leverage to bypass intended queue management behaviors. The vulnerability represents a code consistency issue that could enable malicious actors to manipulate queue states in ways that were not properly accounted for in the original implementation.
The technical flaw manifests in the qfq_rm_from_ag function where the code previously used child qdisc queue length values to determine if a class was active. This approach creates a potential attack vector because an attacker could manipulate the qlen values of child queues to influence the activation status of classes within the qfq scheduler. The patch resolves this by introducing the cl_is_active flag which provides a more reliable and consistent method for determining class activation status. This change prevents attackers from exploiting the queue length manipulation techniques to bypass normal queue management controls. The implementation follows established security principles by using explicit activation flags rather than indirect indicators that could be manipulated. This approach aligns with the principle of least privilege and defense in depth as outlined in various cybersecurity frameworks and standards.
The operational impact of this vulnerability extends beyond simple code consistency concerns to potentially affect network traffic management and security policies implemented through the Linux kernel's queuing disciplines. Systems relying on qfq scheduling for traffic control could be vulnerable to attacks that manipulate queue states to bypass quality of service controls or to create denial of service conditions. The vulnerability could enable attackers to disrupt normal traffic scheduling behavior, potentially leading to unfair bandwidth allocation or service degradation. This is particularly concerning in environments where network traffic management is critical for maintaining service availability and performance. The patch ensures that queue management decisions are based on explicit activation status rather than potentially manipulable queue length indicators, thereby maintaining the integrity of the scheduling mechanism.
Mitigation strategies for this vulnerability involve applying the kernel patch that implements the cl_is_active flag approach for determining class activation status. System administrators should prioritize updating affected kernel versions to prevent exploitation of this condition. The patch represents a defensive coding practice that reduces the attack surface by eliminating the reliance on potentially manipulable queue length indicators. Organizations should also implement monitoring for unusual queue behavior patterns that might indicate attempted exploitation of this vulnerability. The fix aligns with the CWE-691 weakness classification related to insufficient control of a resource through potentially vulnerable flows, and could be mapped to ATT&CK technique T1070.004 for bypassing security controls through manipulation of system resources. Regular kernel updates and security assessments should be maintained to ensure protection against similar vulnerabilities in network scheduling mechanisms.