{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23463", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.021Z", "datePublished": "2026-04-03T15:15:42.411Z", "dateUpdated": "2026-04-03T15:15:42.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:42.411Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between\nfq_table[fq->idx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n Thread A Thread B\n qman_destroy_fq() qman_create_fq()\n qman_release_fqid()\n qman_shutdown_fq()\n gen_pool_free()\n -- At this point, the fqid is available again --\n qman_alloc_fqid()\n -- so, we can get the just-freed fqid in thread B --\n fq->fqid = fqid;\n fq->idx = fqid * 2;\n WARN_ON(fq_table[fq->idx]);\n fq_table[fq->idx] = fq;\n fq_table[fq->idx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq->idx] is set to NULL before\ngen_pool_free() is called by using smp_wmb()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/soc/fsl/qbman/qman.c"], "versions": [{"version": "c535e923bb97a4b361e89a6383693482057f8b0c", "lessThan": "9e3d47904b8153c8c3ad2f9b66d5008aad677aa8", "status": "affected", "versionType": "git"}, {"version": "c535e923bb97a4b361e89a6383693482057f8b0c", "lessThan": "d21923a8059fa896bfef016f55dd769299335cb4", "status": "affected", "versionType": "git"}, {"version": "c535e923bb97a4b361e89a6383693482057f8b0c", "lessThan": "751f60bd48edaf03f9d84ab09e5ce6705757d50f", "status": "affected", "versionType": "git"}, {"version": "c535e923bb97a4b361e89a6383693482057f8b0c", "lessThan": "85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa", "status": "affected", "versionType": "git"}, {"version": "c535e923bb97a4b361e89a6383693482057f8b0c", "lessThan": "265e56714635c5dd1e5964bfd97fa6e73f62cde5", "status": "affected", "versionType": "git"}, {"version": "c535e923bb97a4b361e89a6383693482057f8b0c", "lessThan": "014077044e874e270ec480515edbc1cadb976cf2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/soc/fsl/qbman/qman.c"], "versions": [{"version": "4.9", "status": "affected"}, {"version": "0", "lessThan": "4.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8"}, {"url": "https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4"}, {"url": "https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f"}, {"url": "https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa"}, {"url": "https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5"}, {"url": "https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2"}], "title": "soc: fsl: qbman: fix race condition in qman_destroy_fq", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between\nfq_table[fq->idx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n Thread A Thread B\n qman_destroy_fq() qman_create_fq()\n qman_release_fqid()\n qman_shutdown_fq()\n gen_pool_free()\n -- At this point, the fqid is available again --\n qman_alloc_fqid()\n -- so, we can get the just-freed fqid in thread B --\n fq->fqid = fqid;\n fq->idx = fqid * 2;\n WARN_ON(fq_table[fq->idx]);\n fq_table[fq->idx] = fq;\n fq_table[fq->idx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq->idx] is set to NULL before\ngen_pool_free() is called by using smp_wmb()."}], "id": "CVE-2026-23463", "lastModified": "2026-04-07T13:21:09.600", "metrics": {}, "published": "2026-04-03T16:16:33.520", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: soc: fsl: qbman: fix race condition in qman_destroy_fq", "id": "2454847", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454847"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in the Linux kernel, specifically within the soc: fsl: qbman component. This vulnerability is caused by a race condition that occurs when managing Frequency Queue Identifiers (FQIDs). If exploited, this race condition can lead to a system crash, resulting in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-23463", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23463\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23463\nhttps://lore.kernel.org/linux-cve-announce/2026040320-CVE-2026-23463-e730@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c535e923bb97a4b361e89a6383693482057f8b0c,9e3d47904b8153c8c3ad2f9b66d5008aad677aa8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c535e923bb97a4b361e89a6383693482057f8b0c,d21923a8059fa896bfef016f55dd769299335cb4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c535e923bb97a4b361e89a6383693482057f8b0c,751f60bd48edaf03f9d84ab09e5ce6705757d50f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c535e923bb97a4b361e89a6383693482057f8b0c,85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c535e923bb97a4b361e89a6383693482057f8b0c,265e56714635c5dd1e5964bfd97fa6e73f62cde5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c535e923bb97a4b361e89a6383693482057f8b0c,014077044e874e270ec480515edbc1cadb976cf2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.167,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.130,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.78,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.20,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.10,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-07T11:05:47.495188+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the race condition fix", "Verify that the qbman driver is present and that the patch is applied", "If a kernel update is not possible, disable dynamic FQID usage or serialize queue create and destroy operations", "Monitor system logs for WARN_ON occurrences and signs of kernel instability"], "summary": {"action": "Apply patch", "impact": "Denial of Service via kernel instability"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that include the Freescale QMan (qbman) driver for queue management are potentially affected. The advisory does not specify a precise kernel version range, so any kernel containing the qman driver prior to the patch could be vulnerable.", "description_and_impact": "A race condition exists in the Freescale QMan (qbman) driver when the QMAN_FQ_FLAG_DYNAMIC_FQID flag is enabled. If a queue is destroyed while another thread concurrently allocates a new queue, the freed FQID can be reassigned before the original table entry is cleared, triggering a WARN_ON check and corrupting the internal fq_table. This behaviour can lead to kernel instability and potentially a denial of service. The underlying weakness is a race condition (CWE\u2011367).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or privileged code that can simultaneously destroy and create queues. Based on the description, it is inferred that exploitation would require such conditions, but no public exploit is known."}}}}, "created": "2026-04-03T21:13:35.575983+00:00", "updated": "2026-04-08T19:53:44.097647+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}