Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

flow_change() calls tcf_block_q() and dereferences q->handle to derive
a default baseclass. Shared blocks leave block->q NULL, causing a NULL
deref when a flow filter without a fully qualified baseclass is created
on a shared block.

Check tcf_block_shared() before accessing block->q and return -EINVAL
for shared blocks. This avoids the null-deref shown below:

=======================================================================
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:flow_change (net/sched/cls_flow.c:508)
Call Trace:
tc_new_tfilter (net/sched/cls_api.c:2432)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
[...]
=======================================================================
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is found in the Linux kernel’s traffic‑control module, specifically the cls_flow subsystem. When a flow filter is created on a shared block whose queue pointer is null, the flow_change function dereferences the null queue handle, causing a kernel panic. This is a pure crash condition and does not permit arbitrary code execution; it results in a denial of service by making the host unusable or requiring a reboot.

Affected Systems

Any Linux system that includes the vulnerable cls_flow implementation and has not yet integrated the upstream null‑check is affected. This applies to all distributions shipping the unpatched kernel source where the commit adding the safety guard has not been incorporated. The vulnerable code exists in the core kernel, so the impact is not limited to a specific distribution. No explicit version range is listed, but any kernel version before the patch is considered vulnerable.

Risk and Exploitability

The CVSS score of 5.5 rates the severity as moderate. The EPSS score of < 1 % indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The description implies that the attack would require sending a crafted netlink message to create a problematic flow filter, which typically needs CAP_NET_ADMIN or root privileges. Consequently, the overall risk is moderate for hosts where an adversary can influence networking configuration, while it remains lower for strictly isolated or privileged‑restricted environments.

Generated by OpenCVE AI on May 20, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the null‑check for shared blocks, such as the latest stable release from the distribution’s repository.
  • If a quick kernel upgrade is not feasible, apply the upstream patch that adds the missing null‑check in tcf_block_shared(); the patch can be obtained from the commits listed in the references.
  • If upgrading or patching is not possible, disable the cls_flow module and related traffic‑control functionality or enforce strict CAP_NET_ADMIN requirements when creating flow filters, thereby preventing the execution path that triggers the null dereference.

Generated by OpenCVE AI on May 20, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 20 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================
Title net/sched: cls_flow: fix NULL pointer dereference on shared blocks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:24.111Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31422

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T14:16:11.907

Modified: 2026-05-20T18:08:43.857

Link: CVE-2026-31422

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31422 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:30:39Z

Weaknesses