CVE-2026-31422

MEDIUM EPSS 1.9%
Published Apr 13, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 13, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥4.15  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408
    Patch