CVE-2026-31422

MEDIUM

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (27)
linux/Kernel 4.15.0 - 5.10.253linux
linux/Kernel 5.11.0 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.168linux
linux/Kernel 6.13.0 - 6.18.22linux
linux/Kernel 6.19.0 - 6.19.12linux
linux/Kernel 6.2.0 - 6.6.134linux
linux/Kernel 6.7.0 - 6.12.81linux
Linux/Linux < 4.15
Linux/Linux 1abf272022cf1d18469405f47b4ec49c6a3125db - 1a280dd4bd1d616a01d6ffe0de284c907b555504
Linux/Linux 1abf272022cf1d18469405f47b4ec49c6a3125db - 415ea0c973c754b9f375225807810eb9045f4293
... and 17 more
Published Apr 13, 2026
Tracked Since Apr 13, 2026