Skip to main content

Linux Kernel EUVDEUVD-2026-21947

| CVE-2026-31423 MEDIUM
Divide By Zero (CWE-369)
2026-04-13 Linux GHSA-mgjx-cg3q-7vjw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 18:08 vuln.today
CVSS changed
May 20, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
4576100b8cd03118267513cafacde164b498b322,25b6821884713a31e2b49fb67b0ebd765b33e0a9,17c1b9807b8a67d676b6dcf749ee932ebaa7f568
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21947
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()

m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable dsm and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path:

Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...]

Widen dsm to u64 and replace do_div() with div64_u64() so the full difference is preserved.

AnalysisAI

Divide-by-zero in the Linux kernel's HFSC traffic scheduler (net/sched/sch_hfsc.c) allows a local authenticated user to crash the kernel via a denial-of-service oops. The flaw is triggered by enqueueing packets through an HFSC qdisc configured with slope values that cause a u64-to-u32 arithmetic truncation to yield a zero divisor in rtsc_min(). With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit code identified at time of analysis, real-world exploitation risk is currently low, though the crash path is deterministic and reproducible by anyone with HFSC configuration access.

Technical ContextAI

The Linux kernel's HFSC (Hierarchical Fair Service Curve) subsystem implements QoS queuing disciplines (qdiscs) used to enforce per-flow service guarantees on network interfaces. The vulnerability resides in rtsc_min() (net/sched/sch_hfsc.c:601), which computes the intersection of two concave service curves. The helper m2sm() converts a u32 slope to a u64 scaled representation; for large inputs such as m1=4000000000, the result approaches 2^32. When two such u64 values differ by exactly 2^32, storing the difference in a u32 variable dsm truncates it to zero via integer wraparound. This zero value is then passed as the divisor to do_div() inside the concave-curve intersection logic, triggering an unhandled kernel divide error (Oops). CWE-369 (Divide By Zero) precisely classifies this as an arithmetic width-mismatch error. The upstream fix widens dsm to u64 and replaces do_div() with div64_u64() to preserve the full 64-bit difference. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Apply the vendor-released patches by upgrading to the fixed stable kernel version appropriate for the running branch: Linux 6.1.168, 6.6.134, 6.12.81, 6.18.22, or 6.19.12, per EUVD-2026-21947. Patch commits are available at https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9 and related stable-tree references. Major Linux distributions (Debian, Red Hat, Ubuntu, SUSE) are expected to carry these backports; check their respective security advisories for specific package version numbers. If immediate kernel upgrade is not feasible, restrict access to the tc (traffic control) interface by ensuring only processes with CAP_NET_ADMIN in the root network namespace can configure qdiscs - this eliminates the attack surface for unprivileged users. Additionally, if unprivileged user namespace creation is not operationally required, setting kernel.unprivileged_userns_clone=0 (where supported) prevents namespace-based privilege escalation to qdisc configuration. Note that restricting tc access may disrupt legitimate QoS configurations and should be evaluated against network management requirements before deployment.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

EUVD-2026-21947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy