CVE-2026-31422
Received Received - Intake
Null Pointer Dereference in Linux Kernel net/sched cls_flow

Publication date: 2026-04-13

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31422
EUVD
EUVD-2026-21946
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network scheduler component, specifically in the cls_flow module. The issue arises because the function flow_change() calls tcf_block_q() and dereferences q->handle to get a default baseclass. However, when dealing with shared blocks, block->q is NULL, which leads to a NULL pointer dereference if a flow filter without a fully qualified baseclass is created on such a shared block.

The fix involves checking if the block is shared using tcf_block_shared() before accessing block->q, and returning an error (-EINVAL) for shared blocks to avoid the NULL pointer dereference.


How can this vulnerability impact me? :

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or denial of service (DoS). Such a crash could disrupt network traffic handling and potentially affect system stability or availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a NULL pointer dereference in the Linux kernel's traffic control flow classifier (cls_flow) when handling shared blocks without a fully qualified baseclass.

Detection can be done by monitoring kernel logs for messages indicating a NULL pointer dereference related to flow_change in net/sched/cls_flow.c, such as KASAN reports showing null-ptr-deref at flow_change.

You can check kernel logs using commands like:

  • dmesg | grep -i 'null-ptr-deref'
  • journalctl -k | grep -i 'flow_change'
  • journalctl -k | grep -i 'cls_flow'

Additionally, monitoring for crashes or kernel oops related to net/sched or rtnetlink components may help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by checking for shared blocks before dereferencing pointers in the flow classifier code, avoiding NULL pointer dereferences.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid creating flow filters without fully qualified baseclasses on shared blocks until the patch is applied.
  • Monitor kernel logs for signs of crashes or NULL pointer dereferences related to cls_flow and take appropriate action.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart