Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()

Commit 38a6f0865796 ("net: sched: support hash selecting tx queue")
added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is
computed as:

mapping_mod = queue_mapping_max - queue_mapping + 1;

The range size can be 65536 when the requested range covers all possible
u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX).
That value cannot be represented in a u16 and previously wrapped to 0,
so tcf_skbedit_hash() could trigger a divide-by-zero:

queue_mapping += skb_get_hash(skb) % params->mapping_mod;

Compute mapping_mod in a wider type and reject ranges larger than U16_MAX
to prevent params->mapping_mod from becoming 0 and avoid the crash.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A divide‑by‑zero error exists in the Linux kernel’s net/sched act_skbedit module that can cause an uncontrollable kernel panic. The bug is triggered when the queue‑mapping range covers all 16‑bit queue identifiers, making the modulus value zero during the hash calculation. Execution of this code path aborts the kernel, which results in a full system reboot or halt, effectively denying service to the host.

Affected Systems

All Linux kernel installations that do not contain commit 38a6f0865796 of the upstream kernel are vulnerable. The advisory does not list specific version numbers, so administrators should check whether their kernel includes that commit or a later version that incorporates the same fixes.

Risk and Exploitability

The CVSS score of 5.5 categorizes the vulnerability as medium severity. An EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the issue is not included in the CISA KEV catalog. Based on the description, the likely attack vector involves sending traffic that activates the traffic‑class filter to compute a queue‑mapping hash. The precise vector is not explicitly stated, so this inference is tentative; the exposure could be local or remote depending on how the filter is reachable. No privilege escalation or data‑exfiltration paths are documented; the primary consequence is an outage due to a kernel crash.

Generated by OpenCVE AI on May 12, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes commit 38a6f0865796 or later, which rewrites the hash calculation to use a wider integer type and rejects ranges that produce a zero divisor.
  • If a kernel upgrade cannot be performed immediately, disable or avoid using the SKBEDIT_F_TXQ_SKBHASH traffic‑class filter, or configure network interfaces so that this feature is not invoked, thereby bypassing the vulnerable code path.
  • If your distribution has not yet released an updated kernel, apply the upstream patch manually or rebuild the kernel with the patch applied.

Generated by OpenCVE AI on May 12, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-369
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-189

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-189

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.
Title net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:20:40.634Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:44.093

Modified: 2026-05-12T18:54:31.840

Link: CVE-2026-43238

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43238 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:15:27Z

Weaknesses