CVE-2026-52997
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() Fix dualpi2_change() to correctly enforce updated limit and memlimit values after a configuration change of the dualpi2 qdisc. Before this patch, dualpi2_change() always attempted to dequeue packets via the root qdisc (C-queue) when reducing backlog or memory usage, and unconditionally assumed that a valid skb will be returned. When traffic classification results in packets being queued in the L-queue while the C-queue is empty, this leads to a NULL skb dereference during limit or memlimit enforcement. This is fixed by first dequeuing from the C-queue path if it is non-empty. Once the C-queue is empty, packets are dequeued directly from the L-queue. Return values from qdisc_dequeue_internal() are checked for both queues. When dequeuing from the L-queue, the parent qdisc qlen and backlog counters are updated explicitly to keep overall qdisc statistics consistent.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52997
EUVD
EUVD-2026-38865
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduler, specifically in the dualpi2 qdisc implementation. The function dualpi2_change() did not properly handle dequeuing packets from two different queues (C-queue and L-queue) when enforcing limits after configuration changes.

Before the fix, dualpi2_change() always tried to dequeue packets from the C-queue and assumed a valid packet (skb) would be returned. However, if packets were queued in the L-queue while the C-queue was empty, this caused a NULL pointer dereference, leading to a potential crash or instability.

The fix ensures that packets are first dequeued from the C-queue if it is not empty, and only then from the L-queue. It also properly checks return values and updates queue statistics to maintain consistency.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's network scheduler, which may lead to kernel crashes or system instability.

Such crashes can result in denial of service (DoS) conditions, disrupting network traffic handling and potentially affecting the availability of network services on affected systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart