Skip to main content

Linux Kernel CVE-2026-31422

| EUVDEUVD-2026-21946 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-13 Linux GHSA-6pmm-j8mh-qwgf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 18:23 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
4a09f72007201c9f667dc47f64517ec23eea65e5,415ea0c973c754b9f375225807810eb9045f4293,1a280dd4bd1d616a01d6ffe0de284c907b555504
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21946
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block.

Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below:

=============== KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] ===============

AnalysisAI

NULL pointer dereference in the Linux kernel's net/sched cls_flow traffic classifier allows a local low-privileged attacker to crash the kernel (denial of service) by creating a flow filter on a shared traffic control block without a fully qualified baseclass. The crash occurs in flow_change() at net/sched/cls_flow.c:508, confirmed by a KASAN trace showing null-ptr-deref when block->q is dereferenced on a shared block where it is intentionally NULL. No active exploitation confirmed - not listed in CISA KEV - and EPSS stands at 0.02% (7th percentile), indicating negligible real-world exploitation probability at time of analysis.

Technical ContextAI

The Linux kernel traffic control (tc) subsystem provides the cls_flow classifier (net/sched/cls_flow.c) for packet classification based on flow attributes. In flow_change(), the code calls tcf_block_q() to retrieve the associated qdisc queue and then dereferences block->q->handle to derive a default baseclass for the flow filter. Shared blocks - a feature allowing multiple qdiscs to reference a single filter block - intentionally set block->q to NULL, as no single qdisc owns the block. The code failed to call tcf_block_shared() before accessing block->q, violating the API contract for shared blocks. CWE-476 (NULL Pointer Dereference) is the root cause class: the pointer is consumed without a NULL guard. The fix adds a tcf_block_shared() check at the top of the affected code path and returns -EINVAL, rejecting shared-block filter creation that lacks an explicit baseclass. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to a patched kernel version: 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0, as confirmed by the EUVD data and upstream stable commits. The authoritative fix commits are indexed at https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408 and related stable-tree commits listed in references. For systems where an immediate kernel upgrade is not feasible, restrict access to tc (traffic control) operations by enforcing that only processes with CAP_NET_ADMIN in the initial network namespace - not within user-created namespaces - can modify traffic classifiers; this is achievable via seccomp profiles or LSM policy (AppArmor/SELinux) blocking rtnetlink operations for unprivileged users. Note that disabling user namespace creation system-wide (sysctl kernel.unprivileged_userns_clone=0 on supported distros) eliminates the container-based escalation path but may break legitimate container workloads. Distribution-specific kernel packages (RHEL, Debian, Ubuntu) should be monitored for backported fixes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-31422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy