Skip to main content

Linux Kernel EUVDEUVD-2026-21945

| CVE-2026-31421 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-13 Linux GHSA-pmqm-g7jm-76hf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 18:23 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
5cf41031922c154aa5ccda8bcdb0f5e6226582ec,3cb055df9e8625ce699a259d8178d67b37f2b160,3d41f9a314afa94b1c7c7c75405920123220e8cd
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21945
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_fw: fix NULL pointer dereference on shared blocks

The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified.

Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks.

The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

AnalysisAI

NULL pointer dereference in the Linux kernel's cls_fw traffic classifier (net/sched/cls_fw.c) crashes the kernel when authenticated local users configure an old-method cls_fw filter on a shared tc block and traffic with a nonzero major skb mark is processed. The flaw exists because the old classification path in fw_classify() calls tcf_block_q() and dereferences q->handle, but shared blocks hold a NULL block->q pointer. The impact is limited to local denial of service (kernel panic); no confidentiality or integrity compromise is possible. EPSS is 0.02% (7th percentile), this vulnerability is not in CISA KEV, and no public exploit has been identified at time of analysis.

Technical ContextAI

The Linux kernel traffic control (tc) subsystem uses classifier blocks to attach packet classifiers (qdiscs) to network interfaces. The cls_fw firewall classifier (net/sched/cls_fw.c) supports two internal classification methods: a newer hash-table-based path and an older path that retrieves the parent qdisc handle via tcf_block_q(). The critical distinction is that shared tc blocks - blocks attached to multiple interfaces or qdiscs simultaneously - set block->q to NULL because they have no single owning qdisc. The old-method path in fw_classify() unconditionally dereferences q->handle at memory offset 0x38 without checking for a NULL q, triggering a KASAN-reported null-ptr-deref when a packet with a nonzero major skb mark is classified. The root cause class is CWE-476 (NULL Pointer Dereference). The fix adds a rejection guard in fw_change() that returns an error when the old method (absence of TCA_OPTIONS in the netlink message) is used on a shared block, preventing the unsafe classification path from ever being reached. Affected products per CPE data: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade the Linux kernel to a patched stable release: 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0. Upstream fix commits are available at https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd (one of six backport commits across stable branches; see also 18328eff2f97d, 5cf41031922c, 3cb055df9e86, 96426c348def, faeea8bbf6e9). If an immediate kernel upgrade is not feasible, the most targeted workaround is to reconfigure any cls_fw filters on shared tc blocks to use the new method by supplying explicit TCA_OPTIONS in the netlink configuration - this avoids the old-method code path entirely. Alternatively, restructure tc configurations to avoid attaching cls_fw filters to shared blocks and use per-qdisc blocks instead; this has no functional side effects for most deployments. In multi-tenant environments (containers, VMs) where unprivileged users can obtain CAP_NET_ADMIN within their network namespace, restricting that capability via seccomp profiles or LSM policies (AppArmor/SELinux) will prevent configuration of the triggering tc setup. Consult NVD advisory https://nvd.nist.gov/vuln/detail/CVE-2026-31421 for additional context.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-21945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy