CVE-2026-43496 - Vulnerability Details

- net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked

When red qdisc has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (red in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(red) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (red). And herein lies the problem.
- red will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.

[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)
[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]
[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d
[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216
[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048
[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078
[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000
[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200
[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000
[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0
[ 78.671585][ T363] PKRU: 55555554
[ 78.671713][ T363] Call Trace:
[ 78.671843][ T363] <TASK>
[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]
[ 78.672148][ T363] ? __pfx__printk+0x10/0x10
[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0
[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0
[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]
[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]
[ 78.673566][ T363] __qdisc_run+0x169/0x1900

The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.

Published: 2026-05-21

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference in the Linux kernel’s traffic control subsystem occurs when the red qdisc incorrectly invokes its child’s dequeue method directly after a peek operation. The bug triggers a kernel panic and disrupts all system operations. The weakness is a classic null pointer dereference, corresponding to CWE‑476. The vulnerability is limited to the scheduler component and does not directly expose data or execute arbitrary code.

Affected Systems

The flaw resides in the Linux kernel’s network scheduling code (sch_red). All kernels that contain the unpatched sch_red implementation are vulnerable until the upstream patch that replaces the direct dequeue call with the safer qdisc_dequeue_peeked() method is applied. The affected product is the Linux operating system kernel, specifically the network traffic control stack.

Risk and Exploitability

The kernel crash makes this a high‑risk denial of service flaw. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating that widespread exploitation may not yet be observed. The likely attack vector is remote, network‑based, as the bug is triggered by crafted packets that exercise the problematic qdisc path; this inference is based on the nature of the component, but the description does not explicitly state the attack entry point. Attackers with network access could trigger the panic by sending packets that cause the red qdisc to process child queues containing a null pointer. Consequently, a timely patch or mitigations are recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`77be155cba4e163e8bba9fd27222a8b6189ec4f7`	affected	< 36aa34f42cb6842cf371f3a2d3e855d24fd57a50
`77be155cba4e163e8bba9fd27222a8b6189ec4f7`	affected	< ce051eede433f876d322ac3550a36a3c6fc4c231
`77be155cba4e163e8bba9fd27222a8b6189ec4f7`	affected	< 8d09618840b99ef00154d3e731ce9b11e096196d
`77be155cba4e163e8bba9fd27222a8b6189ec4f7`	affected	< 587dcf970a525f543d8b5855d9f37a4ca97b76ef
`77be155cba4e163e8bba9fd27222a8b6189ec4f7`	affected	< 458d5615272d3de535748342eb68ca492343048c

Linux

affected

Version	Status	Constraints
`2.6.29`	affected	—
`0`	unaffected	< 2.6.29
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[77be155cba4e163e8bba9fd27222a8b6189ec4f7,36aa34f42cb6842cf371f3a2d3e855d24fd57a50)`	affected	code_commit	—
`[77be155cba4e163e8bba9fd27222a8b6189ec4f7,ce051eede433f876d322ac3550a36a3c6fc4c231)`	affected	code_commit	—
`[77be155cba4e163e8bba9fd27222a8b6189ec4f7,8d09618840b99ef00154d3e731ce9b11e096196d)`	affected	code_commit	—
`[77be155cba4e163e8bba9fd27222a8b6189ec4f7,587dcf970a525f543d8b5855d9f37a4ca97b76ef)`	affected	code_commit	—
`[77be155cba4e163e8bba9fd27222a8b6189ec4f7,458d5615272d3de535748342eb68ca492343048c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.29`	affected	semver	—
`[0,2.6.29)`	unaffected	semver	—
`[6.6.140,7.0.0)`	unaffected	semver	—
`[6.12.88,7.0.0)`	unaffected	semver	—
`[6.18.30,7.0.0)`	unaffected	semver	—
`[7.0.7,8.0.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the upstream patch replacing the direct dequeue call with qdisc_dequeue_peeked()
If an update is not immediately possible, consider disabling or removing the red qdisc from the network stack to eliminate the vulnerable code path
Ensure that any child queuing disciplines, such as qfq or tbf, are also updated to versions that do not trigger the bug

Generated by OpenCVE AI on May 21, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50
https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c
https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef
https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d
https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231

History

Thu, 21 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following: 1a. do a peek() - and when sensing there's an skb the child can offer, then - the child in this case(red) calls its child's (qfq) peek. qfq does the right thing and will return the gso_skb queue packet. Note: if there wasnt a gso_skb entry then qfq will store it there. 1b. invoke a dequeue() on the child (red). And herein lies the problem. - red will call the child's dequeue() which will essentially just try to grab something of qfq's queue. [ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [ 78.671585][ T363] PKRU: 55555554 [ 78.671713][ T363] Call Trace: [ 78.671843][ T363] <TASK> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [ 78.672148][ T363] ? __pfx__printk+0x10/0x10 [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0 [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red] [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [ 78.673566][ T363] __qdisc_run+0x169/0x1900 The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.
Title		net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50 https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-21T12:12:46.584Z

Updated: 2026-05-21T12:12:46.584Z

Reserved: 2026-05-01T14:12:56.013Z

Link: CVE-2026-43496

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-21T13:16:18.960

Modified: 2026-05-21T13:16:18.960

Link: CVE-2026-43496

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-21T14:00:12Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object