PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23463 Linux CVE debrief

CVE-2026-23463 is a Linux kernel race condition in the soc:fsl:qbman qman flow-queue management path. When QMAN_FQ_FLAG_DYNAMIC_FQID is set, the ordering between clearing fq_table[fq->idx] and returning the FQID to the pool can allow a concurrent creator to reuse the just-freed ID and hit a WARN_ON in qman_create_fq(). The published fix changes the ordering so the table entry is cleared before gen_pool_free() is called.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels that include the Freescale/NXP qbman qman subsystem should care, especially if they rely on affected stable branches or backported kernel trees. Systems using dynamic FQID handling in this path are the most relevant.

Technical summary

The issue is a CWE-362 race condition. In the vulnerable sequence, qman_destroy_fq() releases an FQID, qman_create_fq() in another thread can immediately reallocate that same ID from the gen_pool, and the creator observes stale state in fq_table[fq->idx], triggering WARN_ON(fq_table[fq->idx]). The fix ensures fq_table[fq->idx] is set to NULL before the ID is returned to the pool, using smp_wmb() to enforce the intended write ordering.

Defensive priority

Medium. NVD rates the issue 4.7/10 with local attack vector, high attack complexity, low privileges required, and availability impact only. It is not a remote code execution issue, but it can cause kernel warning conditions and service disruption in affected configurations.

Recommended defensive actions

  • Update to a kernel build that includes the upstream fix or the corresponding stable backport.
  • Verify whether your kernels fall within the affected NVD version ranges: 4.9 before 5.10.253, 5.11 before 5.15.203, 5.16 before 6.1.167, 6.2 before 6.6.130, 6.7 before 6.12.78, 6.13 before 6.18.20, 6.19 before 6.19.10, 7
  • Prioritize systems that use the qbman/qman subsystem and dynamic FQID handling for validation and patch rollout.
  • Monitor kernel logs for repeated WARN_ON activity in qman_create_fq() as an operational signal of the race.
  • If immediate patching is not possible, reduce exposure by minimizing changes to the affected subsystem on production systems and schedule maintenance for kernel updates.

Evidence notes

This debrief is based on the CVE description provided in the source corpus and the official NVD record. The corpus states that the race occurs between qman_destroy_fq()/qman_release_fqid()/gen_pool_free() and qman_create_fq(), and that the fix is to clear fq_table[fq->idx] before freeing the ID with smp_wmb(). NVD marks the vulnerability as analyzed, assigns CVSS 3.1 vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, and lists affected Linux kernel version ranges plus official stable patch references.

Official resources

CVE published by NVD on 2026-04-03T16:16:33.520Z and last modified on 2026-05-20T15:25:35.147Z. NVD classifies the issue as analyzed and provides official kernel patch references.