CVE-2026-23379

Received Received - Intake

Divide-by-Zero Vulnerability in Linux Kernel ETS Offload Path

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: fix divide by zero in the offload path Offloading ETS requires computing each class' WRR weight: this is done by averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned int, the same integer size as the individual DRR quanta, can overflow and even cause division by zero, like it happened in the following splat: Oops: divide error: 0000 [#1] SMP PTI CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) Tainted: [E]=UNSIGNED_MODULE Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Call Trace: <TASK> ets_qdisc_change+0x870/0xf40 [sch_ets] qdisc_create+0x12b/0x540 tc_modify_qdisc+0x6d7/0xbd0 rtnetlink_rcv_msg+0x168/0x6b0 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x1d6/0x2b0 netlink_sendmsg+0x22e/0x470 ____sys_sendmsg+0x38a/0x3c0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x111/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f440b81c77e Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 </TASK> Modules linked in: sch_ets(E) netdevsim(E) ---[ end trace 0000000000000000 ]--- RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- Fix this using 64-bit integers for 'q_sum' and 'q_psum'.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-25

Last Modified

2026-04-24

Generated

2026-06-16

AI Q&A

2026-03-25

EPSS Evaluated

2026-06-14

NVD

CVE-2026-23379

EUVD

EUVD-2026-15371

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	5.6
linux	linux_kernel	From 6.19 (inc) to 6.19.7 (exc)
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	From 6.13 (inc) to 6.18.17 (exc)
linux	linux_kernel	From 6.2 (inc) to 6.6.130 (exc)
linux	linux_kernel	From 6.7 (inc) to 6.12.77 (exc)
linux	linux_kernel	From 5.11 (inc) to 5.15.203 (exc)
linux	linux_kernel	From 5.16 (inc) to 6.1.167 (exc)
linux	linux_kernel	From 5.6.1 (inc) to 5.10.253 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-369	The product divides a value by zero.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Linux kernel's network scheduler component, specifically in the ETS (Enhanced Transmission Selection) offload path.

The issue arises because the calculation of each class's WRR (Weighted Round Robin) weight uses unsigned 32-bit integers for summing quanta values ('q_sum' and 'q_psum'). This can cause integer overflow and lead to a division by zero error.

When this division by zero occurs, it triggers a kernel panic, causing the system to crash with a fatal exception.

The fix involves using 64-bit integers for these sums to prevent overflow and avoid the division by zero.

Impact Analysis

This vulnerability can cause the Linux kernel to crash unexpectedly due to a kernel panic triggered by a division by zero error.

Such crashes can lead to system downtime, loss of availability, and potential disruption of services running on affected systems.

In environments relying on network traffic scheduling and offloading, this could impact network performance and reliability.

Detection Guidance

This vulnerability manifests as a kernel panic caused by a divide by zero error in the Linux kernel's ETS offload path. Detection involves monitoring system logs for kernel panic messages or Oops traces related to 'ets_offload_change' or 'sch_ets'.

You can check your system logs for such errors using commands like:

dmesg | grep -i 'ets_offload_change'
journalctl -k | grep -i 'divide error'
grep -i 'Kernel panic' /var/log/kern.log

Additionally, monitoring for crashes or unexpected reboots related to traffic control (tc) commands or ETS offloading may indicate the presence of this vulnerability.

Mitigation Strategies

The immediate mitigation is to update the Linux kernel to a version where this vulnerability is fixed. The fix involves using 64-bit integers for the variables 'q_sum' and 'q_psum' to prevent overflow and division by zero.

Until the kernel is updated, avoid enabling or using ETS offloading features that trigger this code path, as they can cause kernel panics.

Monitoring and restricting the use of traffic control (tc) commands related to ETS offload may reduce the risk of triggering the vulnerability.

Compliance Impact

The provided CVE description does not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-23379. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-23379

Divide-by-Zero Vulnerability in Linux Kernel ETS Offload Path

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart