CVE-2026-31422
Analyzed Analyzed - Analysis Complete
Null Pointer Dereference in Linux Kernel net/sched cls_flow

Publication date: 2026-04-13

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31422
EUVD
EUVD-2026-21946
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 4.15 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduler component, specifically in the cls_flow module. The issue arises because the function flow_change() calls tcf_block_q() and dereferences q->handle to get a default baseclass. However, when dealing with shared blocks, block->q is NULL, which leads to a NULL pointer dereference if a flow filter without a fully qualified baseclass is created on such a shared block.

The fix involves checking if the block is shared using tcf_block_shared() before accessing block->q, and returning an error (-EINVAL) for shared blocks to avoid the NULL pointer dereference.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or denial of service (DoS). Such a crash could disrupt network traffic handling and potentially affect system stability or availability.

Detection Guidance

This vulnerability causes a NULL pointer dereference in the Linux kernel's traffic control flow classifier (cls_flow) when handling shared blocks without a fully qualified baseclass.

Detection can be done by monitoring kernel logs for messages indicating a NULL pointer dereference related to flow_change in net/sched/cls_flow.c, such as KASAN reports showing null-ptr-deref at flow_change.

You can check kernel logs using commands like:

  • dmesg | grep -i 'null-ptr-deref'
  • journalctl -k | grep -i 'flow_change'
  • journalctl -k | grep -i 'cls_flow'

Additionally, monitoring for crashes or kernel oops related to net/sched or rtnetlink components may help detect exploitation attempts.

Mitigation Strategies

The vulnerability is fixed by checking for shared blocks before dereferencing pointers in the flow classifier code, avoiding NULL pointer dereferences.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid creating flow filters without fully qualified baseclasses on shared blocks until the patch is applied.
  • Monitor kernel logs for signs of crashes or NULL pointer dereferences related to cls_flow and take appropriate action.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart