CVE-2026-23463
- Source
- https://cve.org/CVERecord?id=CVE-2026-23463
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23463.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23463
- Downstream
- Related
- Published
- 2026-04-03T15:15:42.411Z
- Modified
- 2026-06-04T09:14:19.437934381Z
- Summary
- soc: fsl: qbman: fix race condition in qman_destroy_fq
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
soc: fsl: qbman: fix race condition in qmandestroyfq
When QMANFQFLAGDYNAMICFQID is set, there's a race condition between fqtable[fq->idx] state and freeing/allocating from the pool and WARNON(fqtable[fq->idx]) in qmancreate_fq() gets triggered.
Indeed, we can have: Thread A Thread B qmandestroyfq() qmancreatefq() qmanreleasefqid() qmanshutdownfq() genpoolfree() -- At this point, the fqid is available again -- qmanallocfqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARNON(fqtable[fq->idx]); fqtable[fq->idx] = fq; fqtable[fq->idx] = NULL;
And adding some logs between qmanreleasefqid() and fqtable[fq->idx] = NULL makes the WARNON() trigger a lot more.
To prevent that, ensure that fqtable[fq->idx] is set to NULL before genpoolfree() is called by using smpwmb().
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23463.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2
- https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
- https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835
- https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
- https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
- https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
- https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4
- https://git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23463.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23463
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc535e923bb97a4b361e89a6383693482057f8b0cFixed66442cf9989bd4489fa80d9f37637d58ab016835Fixedd288fbe652ef43b7128e4bc0c0c2ef6bd03a2210Fixed9e3d47904b8153c8c3ad2f9b66d5008aad677aa8Fixedd21923a8059fa896bfef016f55dd769299335cb4Fixed751f60bd48edaf03f9d84ab09e5ce6705757d50fFixed85dbbf7dc88b0a54f2e334daedf6f3f31fd004faFixed265e56714635c5dd1e5964bfd97fa6e73f62cde5Fixed014077044e874e270ec480515edbc1cadb976cf2
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.9.0Fixed5.10.253
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.167
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.130
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.78
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.20
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.10