CVE-2026-45845

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A NULL pointer dereference exists in the Linux kernel's TAPRIO child qdisc implementation. When a TAPRIO child qdisc is deleted via RTM DELQDISC, the taprio graft() function stores a NULL value in the q->qdiscs array. Subsequent RTM GETTCLASS dump operations use taprio walk() to call taprio dump class(), which then calls taprio leaf(). Because taprio leaf() returns the NULL pointer, the system attempts to dereference it to read the child->handle variable, leading to a kernel panic. This issue is reachable on any kernel with CONFIG NET SCH TAPRIO enabled. On systems with unprivileged user namespaces enabled, a local user can trigger this by creating a taprio qdisc in a new network namespace, grafting a child qdisc, deleting it, and requesting a class dump.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.