The gate action in the Linux kernel’s traffic control subsystem (net/sched) carried a race condition now tracked as CVE-2026-23245. The bug lives in net/sched/act_gate.c and let a local user with permission to configure traffic control cause inconsistent memory access inside the kernel.
What the gate action does and where it breaks
The gate action is part of Time-Aware Shaping, the mechanism that opens and closes transmission “gates” according to a time schedule (tied to TSN, time-sensitive networking). That schedule is a list of entries the kernel walks periodically from an hrtimer, and the same list is read whenever someone dumps the traffic control configuration.
The flaw shows up when the action is replaced on a live system. If a user swaps the gate action while the timer callback or the dump path is walking the schedule list, the code freed or changed those parameters without enough synchronization. One thread read structures that another was modifying or freeing. The result is inconsistent memory access, with the potential for corruption and a system crash.
Who is affected
This hits Linux systems that have the traffic control stack enabled and the gate action available, which is common on general-purpose kernels. According to NVD the range of vulnerable versions is wide:
- 5.8 through 5.10.252
- 5.11 through 6.1.166
- 6.2 through 6.6.129
- 6.7 through 6.12.77
- 6.13 through 6.18.17
- 6.19 through 6.19.7
The vector is local: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. You need an account on the machine and permission to manipulate traffic control (the CAP_NET_ADMIN capability, typically inside a network namespace). It is not a flaw you can exploit blindly from the internet, but on multi-user hosts or with containers granted CAP_NET_ADMIN the risk is real. It belongs to the same family as other kernel race and use-after-free issues patched the same month, such as the TLS subsystem use-after-free in CVE-2026-23240.
Severity
The CVSS 3.1 score assigned by kernel.org is 7.8 (high), with high impact on confidentiality, integrity and availability. The race can lead to reading memory that does not belong to the caller, or to a kernel crash. Races like this are delicate: they depend on the exact timing between the timer and the action replacement, which makes a reliable exploit harder to build, though not impossible.
Mitigation and patch
The fix changes how the schedule parameters are handled. Instead of touching the list in place, it introduces RCU-protected snapshots: the new parameters are swapped under the tcf_lock lock and the old ones are freed in a deferred way through call_rcu(). Any reader still walking the previous version keeps seeing it intact until it finishes, and the free only happens once nobody is using it.
The right move is to update the kernel to a version that carries the patch. Seven backport commits were published on git.kernel.org covering the affected stable branches, so most distributions pick them up in their kernel updates from March 2026 onward. Check your distribution’s advisory (Debian, Ubuntu, SUSE) and apply the corrected version. If for some reason you cannot patch right away, limiting who holds CAP_NET_ADMIN and auditing containers granted that capability reduces the exposed surface. The kernel itself runs on most distributions; see the Linux kernel page for version details.