CVE-2026-45845

Source
https://cve.org/CVERecord?id=CVE-2026-45845
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45845.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45845
Downstream
Related
Published
2026-05-27T09:24:48.438Z
Modified
2026-07-15T01:49:08.165060911Z
Summary
net/sched: taprio: fix NULL pointer dereference in class dump
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix NULL pointer dereference in class dump

When a TAPRIO child qdisc is deleted via RTMDELQDISC, tapriograft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTMGETTCLASS dump operations walk all classes via tapriowalk() and call tapriodumpclass(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.

The bug is reachable with namespace-scoped CAPNETADMIN on any kernel with CONFIGNETSCHTAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTMGETTCLASS dump itself requires no capability.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:tapriodumpclass (net/sched/schtaprio.c:2478) Call Trace: <TASK> tcfilltclass (net/sched/schapi.c:1966) qdiscclassdump (net/sched/schapi.c:2326) tapriowalk (net/sched/schtaprio.c:2514) tcdumptclassqdisc (net/sched/schapi.c:2352) tcdumptclassroot (net/sched/schapi.c:2370) tcdumptclass (net/sched/schapi.c:2431) rtnldumpit (net/core/rtnetlink.c:6864) netlinkdump (net/netlink/afnetlink.c:2325) rtnetlinkrcvmsg (net/core/rtnetlink.c:6959) netlinkrcvskb (net/netlink/afnetlink.c:2550) </TASK>

Fix this by substituting &noopqdisc when new is NULL in tapriograft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.

Since the data-plane paths (taprioenqueue and tapriodequeuefromtxq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noopqdisc instead. Without this, packets would reach taprioenqueueone() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noopqdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.

After this change *old can be a valid qdisc, NULL, or &noopqdisc. Only call qdiscput(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45845.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
665338b2a7a0139337d1f85be65ed16e487f84c1
Fixed
ec2501e361b08b50bcb1e7b3253fc861abbda28d
Fixed
d02e2fbf60de46678e2ea698a6a904fd21e1cc31
Fixed
48b26d48e76221dc90b02bf5428bab53643461ca
Fixed
8f1ff8866cb9f655e5faea6994eb902960be8e04
Fixed
3d07ca5c0fae311226f737963984bd94bb159a87

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45845.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45845.json"