Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_qfq: do not free existing class in qfq_change_class()

Fixes qfq_change_class() error case.

cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.
Published: 2026-01-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free in Linux QFQ network scheduler potentially causing kernel instability
Action: Apply Patch
AI Analysis

Impact

The defect lies in the qfq_change_class() routine of the Linux kernel’s QFQ traffic scheduler. When a requested reallocation of a class or its underlying qdisc fails, the code frees both cl->qdisc and cl regardless of the failure, leaving dangling pointers. This improper deallocation would trigger a use‑after‑free (UAF) condition if the freed memory is subsequently reused in the kernel, potentially leading to a crash or, in a more elaborate scenario, arbitrary code execution within the kernel context.

Affected Systems

The flaw affects all Linux kernel builds that bundle the QFQ scheduler and have not yet incorporated the patch, notably the 6.19 release candidates rc1 through rc5 and any derivative kernels that ship with the default QFQ configuration. All operating systems produced under the Linux:Linux CNA designation that use these kernel versions are therefore impacted.

Risk and Exploitability

The CVSS score of 5.5 classifies the vulnerability as moderate, and the EPSS of less than 1% indicates a low probability that attackers will target this flaw in the wild. It is not listed in the CISA KEV catalog. The vulnerability can be exploited if an attacker can influence network class allocations, but the likely attack vector is local manipulation of traffic class assignments on a compromised or privileged host, as inferred from the nature of the code path. Remote exploitation without such foothold is not directly supported by the CVE description.

Generated by OpenCVE AI on April 18, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the CVE‑2026‑22999 fix (for example, 6.20 or later)
  • If an upgrade is not immediately possible, disable the QFQ qdisc on all interfaces or replace it with a non‑vulnerable scheduler such as pfifo or fq_codel to avoid the affected code path
  • Continuously monitor kernel logs for indications of out‑of‑bounds or corruption errors during network handling, and run memory integrity checks to detect kernel instability

Generated by OpenCVE AI on April 18, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-4 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-5 Linux kernel (IBM) vulnerabilities
History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 18 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 30 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sun, 25 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.
Title net/sched: sch_qfq: do not free existing class in qfq_change_class()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:04.370Z

Reserved: 2026-01-13T15:37:45.938Z

Link: CVE-2026-22999

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-01-25T15:15:54.753

Modified: 2026-04-27T14:16:28.767

Link: CVE-2026-22999

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-22999 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses