CVE-2026-31421
Published: Apr 13, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks. The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 1abf272022cf1d18469405f47b4ec49c6a3125db - < d6d5bd62a09650856e1e2010eb09853eba0d64e1affected 1abf272022cf1d18469405f47b4ec49c6a3125db - < febf64ca79a2d6540ab6e5e197fa0f4f7e84473eaffected 1abf272022cf1d18469405f47b4ec49c6a3125db - < 3d41f9a314afa94b1c7c7c75405920123220e8cdaffected 1abf272022cf1d18469405f47b4ec49c6a3125db - < 18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28affected 1abf272022cf1d18469405f47b4ec49c6a3125db - < 5cf41031922c154aa5ccda8bcdb0f5e6226582ec+3 more versions |
Linux | Linux | affected 4.15unaffected 0 - < 4.15unaffected 5.10.253 - <= 5.10.*unaffected 5.15.203 - <= 5.15.*unaffected 6.1.168 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now