CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Enforce that teql can only be used as root qdisc
Design intent of teql is that it is only supposed to be used as root qdisc.
We need to check for that constraint.
Although not important, I will describe the scenario that unearthed this
issue for the curious.
GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
ROOT qdisc 1:0 (QFQ)
├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
└── class 1:2 (weight=1, lmax=1514) teql
GangMin sends a packet which is enqueued to 1:1 (netem).
Any invocation of dequeue by QFQ from this class will not return a packet
until after 6.4s. In the meantime, a second packet is sent and it lands on
1:2. teql's enqueue will return success and this will activate class 1:2.
Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
peek always returns NULL), dequeue will never be called and thus the qlen
will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
qlen was not incremented, qfq fails to deactivate the class, but still
frees its pointers from the aggregate. So when the first packet is
rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
accessed causing GangMin's causing a UAF.
Security readout for executives and security teams
Plain-English summary
CVE-2026-23074 is a Linux kernel use-after-free in traffic control scheduling. It can let a low-privileged local attacker with relevant networking control reach kernel memory corruption, with confidentiality, integrity, and availability impact. It is not described as remotely exploitable from the network.
Executive priority
Treat as high priority for shared Linux, virtualization, and container hosts. It is local rather than internet-facing, but kernel memory corruption can become full host compromise when attacker preconditions exist.
Technical view
The teql queueing discipline was intended only as a root qdisc. When nested under a classful scheduler, its queue length handling can leave QFQ state inconsistent, causing a dangling pointer and use-after-free. The kernel fix enforces teql root-qdisc-only use.
Likely exposure
Exposure is likely on Linux systems running affected kernel versions or downstream kernels missing the stable/vendor backport, especially multi-user hosts and container environments where users or workloads can configure traffic control or hold CAP_NET_ADMIN-like privileges.
Exploitation context
The bundle marks KEV false and provides no evidence of active exploitation. The public description includes a researcher-found scenario leading to UAF, but not an exploit chain. Attack context is local with low privileges per CVSS, not unauthenticated remote access.
Researcher notes
Focus validation on net/sched teql placement restrictions and downstream backport presence. The root cause is inconsistent qdisc queue accounting that can leave scheduler aggregate pointers stale. Evidence is source-bundle limited; no exploitation telemetry is provided.
Mitigation direction
Apply vendor kernel updates or stable kernels containing the referenced fixes.
Review Red Hat RHSA advisories if using affected Red Hat kernel packages.
Restrict CAP_NET_ADMIN and traffic-control configuration to trusted administrators.
Reduce untrusted access on shared Linux hosts until patched.
Reboot into the patched kernel after package installation.
Validation and detection
Inventory running kernel versions across Linux fleets.
Check vendor advisory status for each kernel package.
Confirm the fix commit or downstream backport is present.
Audit users, services, and containers with network administration privileges.
Verify systems have rebooted into the updated kernel.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-825: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
20Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-825 · source CWE mapping
Expired Pointer Dereference
Expired Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.