CVE-2026-31423 - Vulnerability Details

- net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()

m2sm() converts a u32 slope to a u64 scaled value. For large inputs
(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores
the difference of two such u64 values in a u32 variable `dsm` and
uses it as a divisor. When the difference is exactly 2^32 the
truncation yields zero, causing a divide-by-zero oops in the
concave-curve intersection path:

Oops: divide error: 0000
RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)
Call Trace:
init_ed (net/sched/sch_hfsc.c:629)
hfsc_enqueue (net/sched/sch_hfsc.c:1569)
[...]

Widen `dsm` to u64 and replace do_div() with div64_u64() so the full
difference is preserved.

Published: 2026-04-13

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the Linux kernel traffic scheduler module, where a division by zero occurs in the rtsc_min() function of the HFSC scheduler. When a particular calculation yields a divisor of zero due to integer truncation, the kernel raises an oops exception that forces a crash. This results in a denial of service, preventing the kernel or affected processes from continuing until a reboot or restart.

Affected Systems

The vulnerability is present in any Linux kernel that implements the HFSC fair scheduling algorithm. The advisory does not specify which kernel releases are affected, so all builds containing the current sch_hfsc implementation may be vulnerable until a patched release is applied.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The issue is not listed in the CISA KEV catalog and no EPSS score is available. Exploitation would require triggering the HFSC scheduler with crafted traffic, implying a local or privileged access requirement. The precise attack vector is not detailed, but an attacker that can cause the scheduler to process malicious packets can induce a kernel crash and temporary denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ad8e8fec40290a8c8cf145c0deaadf76f80c5163
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 25b6821884713a31e2b49fb67b0ebd765b33e0a9
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c56f78614e7781aaceca9bd3cb2128bf7d45c3bd
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b9e6431cbea8bb1fae8069ed099b4ee100499835
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 17c1b9807b8a67d676b6dcf749ee932ebaa7f568
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4576100b8cd03118267513cafacde164b498b322

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,25b6821884713a31e2b49fb67b0ebd765b33e0a9)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c56f78614e7781aaceca9bd3cb2128bf7d45c3bd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b9e6431cbea8bb1fae8069ed099b4ee100499835)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,17c1b9807b8a67d676b6dcf749ee932ebaa7f568)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4576100b8cd03118267513cafacde164b498b322)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	generic	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that incorporates the fix for the divide‑by‑zero issue in sch_hfsc.
Verify your running kernel version and upgrade to a patched release as soon as possible.

Generated by OpenCVE AI on April 14, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/17c1b9807b8a67d676b6dcf749ee932ebaa7f568
https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9
https://git.kernel.org/stable/c/4576100b8cd03118267513cafacde164b498b322
https://git.kernel.org/stable/c/ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f
https://git.kernel.org/stable/c/ad8e8fec40290a8c8cf145c0deaadf76f80c5163
https://git.kernel.org/stable/c/b9e6431cbea8bb1fae8069ed099b4ee100499835
https://git.kernel.org/stable/c/c56f78614e7781aaceca9bd3cb2128bf7d45c3bd
https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5
https://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31423-ed66@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31423
https://www.cve.org/CVERecord?id=CVE-2026-31423

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/ab1ff5890c7354afc7be56502fcfbd61f3b7ae4f https://git.kernel.org/stable/c/ad8e8fec40290a8c8cf145c0deaadf76f80c5163

Tue, 14 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-369
References		https://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31423-ed66@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31423 https://www.cve.org/CVERecord?id=CVE-2026-31423
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Mon, 13 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...] Widen `dsm` to u64 and replace do_div() with div64_u64() so the full difference is preserved.
Title		net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/17c1b9807b8a67d676b6dcf749ee932ebaa7f568 https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9 https://git.kernel.org/stable/c/4576100b8cd03118267513cafacde164b498b322 https://git.kernel.org/stable/c/b9e6431cbea8bb1fae8069ed099b4ee100499835 https://git.kernel.org/stable/c/c56f78614e7781aaceca9bd3cb2128bf7d45c3bd https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-13T13:40:26.567Z

Updated: 2026-04-18T08:59:36.227Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31423

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:12.070

Modified: 2026-04-18T09:16:32.270

Link: CVE-2026-31423

Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31423 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:34:25Z

Weaknesses

CWE-369

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object