Kurt Kanzenbach

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference in the Linux kernel, specifically in the stmmac component. This occurs when deleting a specific tc flower record. The problem arises from a previous incorrect implementation of tc del vlan flow(), which uses flow cls offload flow rule() to get a struct flow rule *rule that is no longer valid for the tc filter delete operation. To replicate the issue, one can add a flower filter for VLAN Priority based frame steering, get the 'pref' id, and then delete a specific tc flower record. The kernel NULL pointer dereference can be observed in the dmesg output. The introduction of stmmac rfs entry as a driver-side flow cls offload record for 'RX frame steering' tc flower aims to resolve this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.