CVE-2026-31421

Source
https://cve.org/CVERecord?id=CVE-2026-31421
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31421.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31421
Downstream
Related
Published
2026-04-13T13:40:25.278Z
Modified
2026-07-09T18:31:05.272453272Z
Summary
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_fw: fix NULL pointer dereference on shared blocks

The old-method path in fwclassify() calls tcfblockq() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty clsfw filter is attached to a shared block and a packet with a nonzero major skb mark is classified.

Reject the configuration in fwchange() when the old method (no TCAOPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks.

The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fwclassify (net/sched/clsfw.c:81) Call Trace: tcfclassify (./include/net/tcwrapper.h:197 net/sched/clsapi.c:1764 net/sched/clsapi.c:1860) tc_run (net/core/dev.c:4401) __devqueuexmit (net/core/dev.c:4535 net/core/dev.c:4790)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31421.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1abf272022cf1d18469405f47b4ec49c6a3125db
Fixed
d6d5bd62a09650856e1e2010eb09853eba0d64e1
Fixed
febf64ca79a2d6540ab6e5e197fa0f4f7e84473e
Fixed
3d41f9a314afa94b1c7c7c75405920123220e8cd
Fixed
18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28
Fixed
5cf41031922c154aa5ccda8bcdb0f5e6226582ec
Fixed
3cb055df9e8625ce699a259d8178d67b37f2b160
Fixed
96426c348def662b06bfdc65be3002905604927a
Fixed
faeea8bbf6e958bf3c00cb08263109661975987c

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31421.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31421.json"