CVE-2026-22999
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Fixes qfq_change_class() error case.
cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel's QFQ scheduler due to improper freeing of existing class in qfq_change_class() error path.
Vulnerability
CVE-2026-22999 is a use-after-free vulnerability in the Quick Fair Queueing (QFQ) packet scheduler within the Linux kernel's network subsystem. The bug resides in the qfq_change_class() function, which, upon encountering an error, incorrectly frees the existing class structure (cl) and its associated qdisc even when the class was not newly allocated [1][2][3]. This results in dangling pointers that can be subsequently dereferenced, leading to a use-after-free condition.
Exploitation
An attacker needs local access and the CAP_NET_ADMIN capability to modify traffic control settings. By crafting a class modification request that triggers an error (e.g., providing invalid parameters), the attacker can force the erroneous free of a class that is still referenced elsewhere in the kernel. No special network position is required beyond the ability to execute tc commands.
Impact
Successful exploitation can cause a kernel crash (denial of service) or, potentially, arbitrary code execution in kernel context, leading to privilege escalation. The use-after-free affects kernel memory structures, providing an attacker with control over freed memory.
Mitigation
The fix was applied in Linux kernel stable updates [1][2][3]. Users should ensure their kernel is updated to a version containing the commit. No workarounds are available; the only mitigation is to apply the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.8,<5.10.249
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160nvdPatch
- git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90envdPatch
- git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50nvdPatch
- git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78nvdPatch
- git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363nvdPatch
- git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cdnvdPatch
- git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddfnvdPatch
News mentions
0No linked articles in our index yet.