Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy

syzbot reported a crash in tc_act_in_hw() during netns teardown where
tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action
pointer, leading to an invalid dereference.

Guard against ERR_PTR entries when iterating the action IDR so teardown
does not call tc_act_in_hw() on an error pointer.
Published: 2026-01-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash)
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel’s traffic control subsystem (net/sched), an error handling flaw caused the system to dereference an invalid error pointer during the destruction of a network namespace. This invalid dereference resulted in a kernel panic, disrupting system availability. The weakness is a null pointer dereference (CWE‑476).

Affected Systems

The vulnerability affects Linux kernel releases that include the buggy net/sched code. Known affected builds are the 6.19 release candidates rc1, rc2, rc3, and rc4, as identified by the provided CPE entries. Earlier kernel versions that contain the same code path may also be vulnerable, but this is not explicitly confirmed in the advisory.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, and the EPSS score is below 1%, with no listing in the CISA KEV catalog. The flaw is locally exploitable in the context of kernel operations that delete a network namespace, which typically requires administrative or privilege‑escalated access. An attacker would need to trigger a namespace teardown to cause the crash; remote triggering or code execution is not required. Overall, the risk is moderate, principally impacting system availability for users with sufficient privileges on affected kernel versions.

Generated by OpenCVE AI on April 18, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that incorporates the fix for this issue, such as any release following 6.19 rc4 that includes the patch shown in the advisory.
  • If an immediate kernel upgrade is not possible, limit or disable automated or untrusted processes that perform network namespace teardown until the patch is applied.
  • Configure system monitoring to generate alerts on kernel panic or abnormal shutdown events to detect exploitation attempts early.

Generated by OpenCVE AI on April 18, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer.
Title net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:36:37.917Z

Reserved: 2026-01-13T15:37:45.937Z

Link: CVE-2026-22987

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T16:15:54.757

Modified: 2026-02-26T18:49:04.210

Link: CVE-2026-22987

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-23T00:00:00Z

Links: CVE-2026-22987 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses