{"id":"CVE-2026-23074","summary":"net/sched: Enforce that teql can only be used as root qdisc","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim \u003ckm.kim1503@gmail.com\u003e managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n  ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n  └── class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql's enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch-\u003eq.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2's lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem's delay), a dangling pointer is\naccessed causing GangMin's causing a UAF.","modified":"2026-04-17T18:29:22.463244519Z","published":"2026-02-04T16:07:59.379Z","related":["ALSA-2026:3083","ALSA-2026:3110","SUSE-SU-2026:0617-1","SUSE-SU-2026:0928-1","SUSE-SU-2026:0961-1","SUSE-SU-2026:0962-1","SUSE-SU-2026:1003-1","SUSE-SU-2026:1041-1","SUSE-SU-2026:1077-1","SUSE-SU-2026:1078-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:1130-1","SUSE-SU-2026:1131-1","SUSE-SU-2026:1180-1","SUSE-SU-2026:1185-1","SUSE-SU-2026:1187-1","SUSE-SU-2026:1188-1","SUSE-SU-2026:1189-1","SUSE-SU-2026:1212-1","SUSE-SU-2026:1221-1","SUSE-SU-2026:1222-1","SUSE-SU-2026:1225-1","SUSE-SU-2026:1236-1","SUSE-SU-2026:1237-1","SUSE-SU-2026:1239-1","SUSE-SU-2026:1242-1","SUSE-SU-2026:1244-1","SUSE-SU-2026:1248-1","SUSE-SU-2026:1254-1","SUSE-SU-2026:1258-1","SUSE-SU-2026:1259-1","SUSE-SU-2026:1261-1","SUSE-SU-2026:1262-1","SUSE-SU-2026:1263-1","SUSE-SU-2026:1265-1","SUSE-SU-2026:1266-1","SUSE-SU-2026:1268-1","SUSE-SU-2026:1269-1","SUSE-SU-2026:1270-1","SUSE-SU-2026:1271-1","SUSE-SU-2026:1272-1","SUSE-SU-2026:1274-1","SUSE-SU-2026:1278-1","SUSE-SU-2026:1279-1","SUSE-SU-2026:1280-1","SUSE-SU-2026:1281-1","SUSE-SU-2026:1283-1","SUSE-SU-2026:1284-1","SUSE-SU-2026:1285-1","SUSE-SU-2026:1287-1","SUSE-SU-2026:1288-1","SUSE-SU-2026:1293-1","SUSE-SU-2026:1294-1","SUSE-SU-2026:1297-1","SUSE-SU-2026:1298-1","SUSE-SU-2026:1304-1","SUSE-SU-2026:1305-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20931-1","SUSE-SU-2026:21004-1","SUSE-SU-2026:21005-1","SUSE-SU-2026:21006-1","SUSE-SU-2026:21007-1","SUSE-SU-2026:21008-1","SUSE-SU-2026:21009-1","SUSE-SU-2026:21020-1","SUSE-SU-2026:21040-1","SUSE-SU-2026:21041-1","SUSE-SU-2026:21042-1","SUSE-SU-2026:21043-1","SUSE-SU-2026:21044-1","SUSE-SU-2026:21045-1","SUSE-SU-2026:21046-1","SUSE-SU-2026:21047-1","SUSE-SU-2026:21048-1","SUSE-SU-2026:21049-1","SUSE-SU-2026:21050-1","SUSE-SU-2026:21051-1","SUSE-SU-2026:21052-1","SUSE-SU-2026:21053-1","SUSE-SU-2026:21054-1","SUSE-SU-2026:21055-1","SUSE-SU-2026:21056-1","SUSE-SU-2026:21057-1","SUSE-SU-2026:21058-1","SUSE-SU-2026:21059-1","SUSE-SU-2026:21060-1","SUSE-SU-2026:21061-1","SUSE-SU-2026:21070-1","SUSE-SU-2026:21071-1","SUSE-SU-2026:21072-1","SUSE-SU-2026:21073-1","SUSE-SU-2026:21074-1","SUSE-SU-2026:21075-1","SUSE-SU-2026:21076-1","SUSE-SU-2026:21077-1","SUSE-SU-2026:21078-1","SUSE-SU-2026:21079-1","SUSE-SU-2026:21080-1","SUSE-SU-2026:21081-1","SUSE-SU-2026:21082-1","SUSE-SU-2026:21083-1","SUSE-SU-2026:21084-1","SUSE-SU-2026:21085-1","SUSE-SU-2026:21086-1","SUSE-SU-2026:21087-1","SUSE-SU-2026:21088-1","SUSE-SU-2026:21089-1","SUSE-SU-2026:21090-1","SUSE-SU-2026:21091-1","SUSE-SU-2026:21096-1","SUSE-SU-2026:21098-1","SUSE-SU-2026:21099-1","SUSE-SU-2026:21100-1","SUSE-SU-2026:21102-1","openSUSE-SU-2026:20416-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23074.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380"},{"type":"WEB","url":"https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23074.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23074"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"73d970ff0eddd874a84c953387c7f4464b705fc6"},{"fixed":"ae810e6a8ac4fe25042e6825d2a401207a2e41fb"},{"fixed":"dad49a67c2d817bfec98e6e45121b351e3a0202c"},{"fixed":"0686bedfed34155520f3f735cbf3210cb9044380"},{"fixed":"4c7e8aa71c9232cba84c289b4b56cba80b280841"},{"fixed":"16ed73c1282d376b956bff23e5139add061767ba"},{"fixed":"50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23074.json"}}],"schema_version":"1.7.5"}