In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
The old-method path in fwclassify() calls tcfblockq() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty clsfw filter is attached to a shared block and a packet with a nonzero major skb mark is classified.
Reject the configuration in fwchange() when the old method (no TCAOPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks.
The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fwclassify (net/sched/clsfw.c:81) Call Trace: tcfclassify (./include/net/tcwrapper.h:197 net/sched/clsapi.c:1764 net/sched/clsapi.c:1860) tc_run (net/core/dev.c:4401) __devqueuexmit (net/core/dev.c:4535 net/core/dev.c:4790)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31421.json",
"cna_assigner": "Linux"
}