The Linux kernel now has a fix for CVE-2026-23074, a use-after-free vulnerability (CWE-416) that lives in net/sched/sch_teql.c, the code for the teql queueing discipline (qdisc) inside the kernel’s network traffic control subsystem. The flaw scores CVSS 3.1 of 7.8 (high severity), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That means a low-privileged user can exploit it locally and fully compromise the confidentiality, integrity and availability of the system.
What the vulnerability is
The teql qdisc (trivial link equalizer) was meant to be used only as a root qdisc. Trouble starts when someone configures it wrong, as a non-root qdisc, say hanging under a parent scheduler such as QFQ.
The root cause is that teql only updates the queue length (qlen) that its parent sees during the dequeue operation. Because QFQ only calls dequeue when a prior peek succeeds, and teql’s peek always returns NULL, the qlen counter never goes up. So the parent qdisc mishandles its class state when the configuration changes: it can free pointers while packets are still queued, leaving a dangling pointer that gets reused later. That access to already-freed memory is the use-after-free condition an attacker can ride.
Who is affected
The flaw has been around since kernel version 2.6.12 and stretches across many stable branches. According to the NVD record, the following are vulnerable:
- 5.11 up to before 5.15.199
- 5.16 up to before 6.1.162
- 6.2 up to before 6.6.122
- 6.7 up to before 6.12.68
- 6.13 up to before 6.18.8
- 6.19-rc versions
In practice it hits any Linux system running a vulnerable kernel where an unprivileged user can create and configure traffic-control qdiscs. Local users holding CAP_NET_ADMIN inside a network namespace typically have that capability, which widens the attack surface wherever containers or user namespaces are enabled.
Severity
This is a local privilege escalation flaw. You can’t exploit it remotely: it needs local access and the ability to touch the network configuration. Still, kernel use-after-free bugs have a long track record of being turned into memory read/write primitives that end up granting root, so the severity is high (CVSS 7.8) and you shouldn’t put off the update on multi-user systems or ones running untrusted workloads.
Mitigation and patch
The upstream fix enforces the design constraint and stops teql from being used as a non-root qdisc, which cuts off the scenario that leads to the dangling pointer. It shipped across seven commits spread over the various maintained kernel branches.
Recommendations:
- Update the kernel to a fixed version: 5.15.199, 6.1.162, 6.6.122, 6.12.68, 6.18.8 or later, depending on the branch you run. Apply your distribution’s security updates (Debian, Ubuntu, etc.) as soon as they land.
- As a temporary mitigation, restrict the ability to create qdiscs for untrusted users and review your use of user namespaces if you don’t need them.
You can check the affected component in our directory: Linux kernel.
Source
- NVD - NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2026-23074
- CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2026-23074