Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_fw: fix NULL pointer dereference on shared blocks

The old-method path in fw_classify() calls tcf_block_q() and
dereferences q->handle. Shared blocks leave block->q NULL, causing a
NULL deref when an empty cls_fw filter is attached to a shared block
and a packet with a nonzero major skb mark is classified.

Reject the configuration in fw_change() when the old method (no
TCA_OPTIONS) is used on a shared block, since fw_classify()'s
old-method path needs block->q which is NULL for shared blocks.

The fixed null-ptr-deref calling stack:
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:fw_classify (net/sched/cls_fw.c:81)
Call Trace:
tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)
tc_run (net/core/dev.c:4401)
__dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash)
Action: Immediate Patch
AI Analysis

Impact

A null pointer dereference occurs in the cls_fw traffic-control filter when an empty cls_fw filter is attached to a shared block and a packet with a non-zero major skb mark is classified. The vulnerability can cause a kernel panic, leading to a service interruption. The weakness is a NULL pointer dereference, CWE-476.

Affected Systems

Vendors affected are Linux distributions that ship the Linux kernel. The issue exists in any kernel that has exposed the cls_fw filter and shared block functionality without the patch. No specific version numbers are listed, so any kernel prior to the fix commit is potentially vulnerable.

Risk and Exploitability

The CVSS score is 5.5, indicating a moderate severity. The exploit is local and requires permission to configure traffic-control filters, so it is unlikely to be remotely exploitable without elevated privileges. No EPSS value is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation activity. The typical attack path would be an attacker who can deploy traffic-control filters on the machine; they would attach an empty cls_fw filter to a shared block and send a traffic packet with a non–zero mark to trigger the crash.

Generated by OpenCVE AI on April 14, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the cls_fw null dereference fix
  • Verify the kernel version with "uname -r" to ensure the patch is applied
  • If immediate kernel upgrade is not possible, avoid configuring empty cls_fw filters on shared blocks to reduce risk

Generated by OpenCVE AI on April 14, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks. The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
Title net/sched: cls_fw: fix NULL pointer dereference on shared blocks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T13:40:25.278Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31421

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:11.740

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-31421

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31421 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:27Z

Weaknesses