Description
In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()

Commit 38a6f0865796 ("net: sched: support hash selecting tx queue")
added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is
computed as:

mapping_mod = queue_mapping_max - queue_mapping + 1;

The range size can be 65536 when the requested range covers all possible
u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX).
That value cannot be represented in a u16 and previously wrapped to 0,
so tcf_skbedit_hash() could trigger a divide-by-zero:

queue_mapping += skb_get_hash(skb) % params->mapping_mod;

Compute mapping_mod in a wider type and reject ranges larger than U16_MAX
to prevent params->mapping_mod from becoming 0 and avoid the crash.
Published: 2026-05-06
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A divide‑by‑zero error was discovered in the tcf_skbedit_hash() function of the Linux kernel’s traffic‑class filter net/sched module. The bug arises when the hash‑based queue mapping range covers all 16‑bit queue IDs, causing the computed range size to wrap to zero. When the code attempts to divide by this zero value, the kernel crashes. The impact is a denial‑of‑service that brings the system down, potentially allowing an attacker to cause repeated reboots. The vulnerability does not directly expose data or elevate privileges, but the loss of availability can be very disruptive in production environments.

Affected Systems

The flaw affects all Linux kernel releases that include the net/sched: act_skbedit implementation prior to the commit that introduced the fix (38a6f0865796). Any distribution kernel still using older source code is potentially vulnerable. The specific kernel versions are not enumerated in the advisory, so administrators should verify whether their kernel contains the fix by checking for the commit hash.

Risk and Exploitability

The CVSS score is 7.0, indicating a medium severity rating. EPSS data is unavailable, so exploitation probability cannot be quantified. The bug is not listed in CISA’s KEV catalog. Because the trigger requires manipulating network traffic to a device governed by the affected traffic‑class filter, the attack vector is likely local or requires network access to the target. A kernel stack manipulation by a crafted packet would induce the crash. No code‑execution or privilege‑escalation path is documented; therefore the primary risk is loss of service.

Generated by OpenCVE AI on May 7, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains commit 38a6f0865796, which rewrites the hash‑mapping calculation in a wider integer type and rejects ranges that would result in a divisor of zero.
  • If an immediate kernel upgrade is not feasible, avoid using the SKBEDIT_F_TXQ_SKBHASH traffic‑class filter or configure the network interface so that this feature is not invoked, thereby bypassing the vulnerable code path.
  • Apply the upstream patch (commit 38a6f0865796) manually or rebuild the kernel with this fix, if your distribution does not provide an updated kernel yet.

Generated by OpenCVE AI on May 7, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-189

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-189

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash.
Title net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:32.950Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:44.093

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43238

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43238 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:30:06Z

Weaknesses