Skip to main content

Linux Kernel EUVDEUVD-2026-31274

| CVE-2026-43496 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-21 Linux GHSA-86mq-wj5h-4fr6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only attack vector; attacker with low privileges (CAP_NET_ADMIN via userns) can self-configure the trigger; no confidentiality or integrity impact, only kernel panic.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:46 vuln.today
CVSS changed
Jun 26, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:12 nvd
MEDIUM 5.5
CVE Published
May 21, 2026 - 12:12 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked

When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following: 1a. do a peek() - and when sensing there's an skb the child can offer, then

  • the child in this case(red) calls its child's (qfq) peek.

qfq does the right thing and will return the gso_skb queue packet. Note: if there wasnt a gso_skb entry then qfq will store it there. 1b. invoke a dequeue() on the child (red). And herein lies the problem.

  • red will call the child's dequeue() which will essentially just

try to grab something of qfq's queue.

[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [ 78.671585][ T363] PKRU: 55555554 [ 78.671713][ T363] Call Trace: [ 78.671843][ T363] <TASK> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [ 78.672148][ T363] ? __pfx__printk+0x10/0x10 [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0 [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red] [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [ 78.673566][ T363] __qdisc_run+0x169/0x1900

The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.

AnalysisAI

Null pointer dereference in the Linux kernel's RED qdisc (sch_red) allows a local user with low privileges to trigger a kernel panic and system crash when a specific nested qdisc hierarchy is configured. The flaw occurs in net/sched/sch_red.c when RED calls its child qdisc's dequeue() directly after a peek() has already cached the packet in QFQ's gso_skb buffer, causing QFQ's dequeue path to dereference a null pointer. No public exploit has been identified at time of analysis, and EPSS is 0.02% (7th percentile), reflecting very low real-world exploitation probability.

Technical ContextAI

The vulnerability resides in the Linux kernel's traffic control (tc) subsystem, specifically in net/sched/sch_red.c, which implements the Random Early Detection queuing discipline. RED qdiscs can be chained hierarchically; the bug is exposed in a TBF (Token Bucket Filter) → RED → QFQ (Quick Fair Queueing) configuration where QFQ's peek() callback is qdisc_peek_dequeued(). When TBF invokes peek() on RED, RED correctly forwards to QFQ's peek, which stores the candidate packet in the gso_skb queue. However, when TBF subsequently calls dequeue() on RED, RED incorrectly invokes QFQ's dequeue() directly rather than using qdisc_dequeue_peeked(), which is the correct method to retrieve the already-peeked skb from gso_skb. QFQ's dequeue path then attempts to dereference a null pointer at offset 0x48, confirmed by the KASAN trace in the CVE description (null-ptr-deref in range 0x48-0x4f). The root cause class is CWE-476 (NULL Pointer Dereference). Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. The fix replaces the direct dequeue() call in red_dequeue with qdisc_dequeue_peeked().

RemediationAI

Vendor-released patches are available across multiple stable branches: upgrade to Linux 6.6.140 or later for 6.6.x LTS, Linux 6.12.88 or later for 6.12.x, Linux 6.18.30 or later for 6.18.x, or Linux 7.0.7 or later for 7.0.x. Patch commits for each branch are available at https://git.kernel.org/stable/. Distribution maintainers (Red Hat, Ubuntu, SUSE, Debian) should be tracked for backported stable packages. If immediate patching is not possible, the most effective compensating control is to audit and remove any TBF→RED→QFQ (or equivalent qdisc_peek_dequeued-using child) qdisc hierarchies using 'tc qdisc del'; this eliminates the vulnerable code path with no impact on interfaces using default pfifo_fast qdiscs. As a secondary control, restricting CAP_NET_ADMIN by disabling unprivileged user namespaces (sysctl -w kernel.unprivileged_userns_clone=0 on Debian/Ubuntu derivatives, or kernel.unprivileged_userns_users=0) prevents low-privileged users from self-configuring the trigger condition, though this has a side effect of breaking some container and sandboxing use cases that rely on user namespaces.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-31274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy