In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: fix NULL pointer dereference in class dump
When a TAPRIO child qdisc is deleted via RTMDELQDISC, tapriograft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTMGETTCLASS dump operations walk all classes via tapriowalk() and call tapriodumpclass(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.
The bug is reachable with namespace-scoped CAPNETADMIN on any kernel with CONFIGNETSCHTAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTMGETTCLASS dump itself requires no capability.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:tapriodumpclass (net/sched/schtaprio.c:2478) Call Trace: <TASK> tcfilltclass (net/sched/schapi.c:1966) qdiscclassdump (net/sched/schapi.c:2326) tapriowalk (net/sched/schtaprio.c:2514) tcdumptclassqdisc (net/sched/schapi.c:2352) tcdumptclassroot (net/sched/schapi.c:2370) tcdumptclass (net/sched/schapi.c:2431) rtnldumpit (net/core/rtnetlink.c:6864) netlinkdump (net/netlink/afnetlink.c:2325) rtnetlinkrcvmsg (net/core/rtnetlink.c:6959) netlinkrcvskb (net/netlink/afnetlink.c:2550) </TASK>
Fix this by substituting &noopqdisc when new is NULL in tapriograft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.
Since the data-plane paths (taprioenqueue and tapriodequeuefromtxq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noopqdisc instead. Without this, packets would reach taprioenqueueone() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noopqdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.
After this change *old can be a valid qdisc, NULL, or &noopqdisc. Only call qdiscput(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45845.json",
"cna_assigner": "Linux"
}