CVE-2026-31422 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504
https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293
https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5
https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e
https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449
https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408

History

Mon, 13 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================
Title		net/sched: cls_flow: fix NULL pointer dereference on shared blocks
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504 https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293 https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5 https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449 https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-13T13:40:25.911Z

Updated: 2026-04-13T13:40:25.911Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31422

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-13T14:16:11.907

Modified: 2026-04-13T14:16:11.907

Link: CVE-2026-31422

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object