5.5

CVE-2026-31422

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

flow_change() calls tcf_block_q() and dereferences q->handle to derive
a default baseclass.  Shared blocks leave block->q NULL, causing a NULL
deref when a flow filter without a fully qualified baseclass is created
on a shared block.

Check tcf_block_shared() before accessing block->q and return -EINVAL
for shared blocks.  This avoids the null-deref shown below:

=======================================================================
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:flow_change (net/sched/cls_flow.c:508)
Call Trace:
 tc_new_tfilter (net/sched/cls_api.c:2432)
 rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)
 [...]
=======================================================================
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.15 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.168
LinuxLinux Kernel Version >= 6.2 < 6.6.134
LinuxLinux Kernel Version >= 6.7 < 6.12.81
LinuxLinux Kernel Version >= 6.13 < 6.18.22
LinuxLinux Kernel Version >= 6.19 < 6.19.12
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.019
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408
Patch
https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5
Patch
https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e
Patch
https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449
Patch
https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293
Patch
https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504
Patch
https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc
Patch
https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08
Patch