CVE-2026-52997 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change()

Fix dualpi2_change() to correctly enforce updated limit and memlimit
values after a configuration change of the dualpi2 qdisc.

Before this patch, dualpi2_change() always attempted to dequeue packets
via the root qdisc (C-queue) when reducing backlog or memory usage, and
unconditionally assumed that a valid skb will be returned. When traffic
classification results in packets being queued in the L-queue while the
C-queue is empty, this leads to a NULL skb dereference during limit or
memlimit enforcement.

This is fixed by first dequeuing from the C-queue path if it is
non-empty. Once the C-queue is empty, packets are dequeued directly from
the L-queue. Return values from qdisc_dequeue_internal() are checked for
both queues. When dequeuing from the L-queue, the parent qdisc qlen and
backlog counters are updated explicitly to keep overall qdisc statistics
consistent.

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the Linux kernel's dualpi2 traffic control module. The change handler failed to verify the return value when dequeuing packets from the L‑queue after the C‑queue was empty, resulting in a NULL pointer dereference during backlog or memory limit enforcement. This kernel panic immediately brings the system down, abruptly halting network services.

Affected Systems

All Linux kernel installations that lack the commit 3042add80c2c50bd127d570b83319af612efde65 or later are vulnerable. The weakness affects the dualpi2 qdisc across all kernel families, regardless of configuration, and can be triggered on any system that still uses this kernel version.

Risk and Exploitability

Because a NULL pointer dereference at kernel level causes a crash, the risk is high. Exploitation requires triggering a configuration change or traffic scenario that causes dualpi2_change() to run under the vulnerable condition. The attack vector is inferred to be local or remote network traffic that modifies qdisc settings or classifies packets such that the L‑queue is populated while the C‑queue remains empty. No EPSS score is available and the vulnerability is not listed in CISA KEV, but the potential for a kernel panic creates a critical threat to availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`320d031ad6e4d67e8e1ab08ac71efda02bc85683`	affected	< 86cf2eba2056bcf9c41fba260e599bd95bf9943b
`320d031ad6e4d67e8e1ab08ac71efda02bc85683`	affected	< 3042add80c2c50bd127d570b83319af612efde65
`320d031ad6e4d67e8e1ab08ac71efda02bc85683`	affected	< 478ed6b7d2577439c610f91fa8759a4c878a4264

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[320d031ad6e4d67e8e1ab08ac71efda02bc85683,86cf2eba2056bcf9c41fba260e599bd95bf9943b)`	affected	code_commit	—
`[320d031ad6e4d67e8e1ab08ac71efda02bc85683,3042add80c2c50bd127d570b83319af612efde65)`	affected	code_commit	—
`[320d031ad6e4d67e8e1ab08ac71efda02bc85683,478ed6b7d2577439c610f91fa8759a4c878a4264)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	semver	—
`[0,6.17)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates commit 3042add80c2c50bd127d570b83319af612efde65 or later.
If an immediate kernel upgrade is not feasible, avoid any configuration changes to the dualpi2 qdisc or disable the module until a patched kernel is available.
Regularly monitor system logs (dmesg, syslog) for kernel‑panic messages and unexpected reboots, and apply the patch as soon as it is released.

Generated by OpenCVE AI on June 24, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3042add80c2c50bd127d570b83319af612efde65
https://git.kernel.org/stable/c/478ed6b7d2577439c610f91fa8759a4c878a4264
https://git.kernel.org/stable/c/86cf2eba2056bcf9c41fba260e599bd95bf9943b

History

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() Fix dualpi2_change() to correctly enforce updated limit and memlimit values after a configuration change of the dualpi2 qdisc. Before this patch, dualpi2_change() always attempted to dequeue packets via the root qdisc (C-queue) when reducing backlog or memory usage, and unconditionally assumed that a valid skb will be returned. When traffic classification results in packets being queued in the L-queue while the C-queue is empty, this leads to a NULL skb dereference during limit or memlimit enforcement. This is fixed by first dequeuing from the C-queue path if it is non-empty. Once the C-queue is empty, packets are dequeued directly from the L-queue. Return values from qdisc_dequeue_internal() are checked for both queues. When dequeuing from the L-queue, the parent qdisc qlen and backlog counters are updated explicitly to keep overall qdisc statistics consistent.
Title		net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3042add80c2c50bd127d570b83319af612efde65 https://git.kernel.org/stable/c/478ed6b7d2577439c610f91fa8759a4c878a4264 https://git.kernel.org/stable/c/86cf2eba2056bcf9c41fba260e599bd95bf9943b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:09.997Z

Updated: 2026-06-24T16:29:09.997Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52997

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T04:00:07Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object