Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

flow_change() calls tcf_block_q() and dereferences q->handle to derive
a default baseclass. Shared blocks leave block->q NULL, causing a NULL
deref when a flow filter without a fully qualified baseclass is created
on a shared block.

Check tcf_block_shared() before accessing block->q and return -EINVAL
for shared blocks. This avoids the null-deref shown below:

=======================================================================
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:flow_change (net/sched/cls_flow.c:508)
Call Trace:
tc_new_tfilter (net/sched/cls_api.c:2432)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
[...]
=======================================================================
Published: 2026-04-13
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Kernel Crash
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the Linux kernel’s traffic‑control module, specifically the cls_flow subsystem. When a flow filter is created on a shared block whose queue pointer is null, a function dereferences the handle of a null queue, resulting in a kernel panic. This is a pure crash condition that can cause the system to become unusable, but it does not allow execution of arbitrary code or compromise of data.

Affected Systems

Any system running a Linux kernel that includes the vulnerable cls_flow implementation and has not yet incorporated the patch adding a null‑check on shared blocks is affected. The vulnerability resides in the core kernel, so it applies to all distributions that ship the unpatched kernel source. Specific version identifiers are not listed in the data, but any kernel version preceding the commit that adds the check should be considered vulnerable.

Risk and Exploitability

The CVSS score of 4.7 classifies the severity as moderate. An EPSS value is not available, and the flaw is not listed in CISA’s KEV catalog, indicating no widespread confirmed exploitation. The data describes the kernel panic trigger but does not specify how to reach the vulnerable code. Based on the description, it is inferred that an attacker could need to send a specially crafted netlink message to the networking stack to create the problematic flow filter. However, the exact privilege level required (e.g., root, CAP_NET_ADMIN) is not directly stated in the available information. Consequently, the overall risk is moderate for hosts where an attacker can attain necessary privileges or influence networking configurations, while it is lower for environments lacking such access.

Generated by OpenCVE AI on April 14, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check if the running kernel includes the commit that introduces the null‑check in tcf_block_shared(); if not, upgrade the kernel to the latest stable release that contains the patch.
  • Verify the patch by reviewing the change list or running 'uname -r' to confirm the kernel version matches known fixed releases.

Generated by OpenCVE AI on April 14, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================
Title net/sched: cls_flow: fix NULL pointer dereference on shared blocks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T13:40:25.911Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31422

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:11.907

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-31422

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31422 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:26Z

Weaknesses