CVE-2026-22999

MEDIUM EPSS 10.4%
Published Jan 25, 20265mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 25, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
10.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥3.8  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.67
linuxlinux_kernel*≥6.13  –  <6.18.7
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf
    Patch