CVE-2026-31422

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls flow: fix NULL pointer dereference on shared blocks

flow change() calls tcf block q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block.

Check tcf block shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below:

======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow change (net/sched/cls flow.c:508) Call Trace: tc new tfilter (net/sched/cls api.c:2432) rtnetlink rcv msg (net/core/rtnetlink.c:6980) [...]

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-31422

Affected Products

Linux

CVE-2026-31422

======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow change (net/sched/cls flow.c:508) Call Trace: tc new tfilter (net/sched/cls api.c:2432) rtnetlink rcv msg (net/core/rtnetlink.c:6980) [...]

Related Identifiers

Affected Products

References · 7