CVE-2026-31421
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified.
Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks.
The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in Linux kernel's cls_fw classifier crashes the system when a filter on a shared block without TCA_OPTIONS is used.
Vulnerability
CVE-2026-31421 is a NULL pointer dereference vulnerability in the Linux kernel's net/sched cls_fw classifier. The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. For shared blocks, block->q is set to NULL, leading to a NULL dereference when a packet with a nonzero major skb mark is classified through an empty cls_fw filter attached to a shared block.
Exploitation
An attacker can trigger this vulnerability by configuring a cls_fw classifier on a shared block without using the TCA_OPTIONS attribute (the old method). When a packet with a nonzero major skb mark is then processed, the fw_classify() function dereferences the NULL block->q pointer, causing a kernel crash. No authentication is needed if the attacker can configure traffic control rules, which typically requires root privileges or CAP_NET_ADMIN.
Impact
Successful exploitation causes a denial of service (DoS) via a kernel NULL pointer dereference, leading to system crash or unrecoverable state. The vulnerability does not allow privilege escalation or information disclosure; its impact is limited to system availability.
Mitigation
The Linux kernel upstream has fixed the issue by rejecting the old-method configuration in fw_change() when a shared block is used. The fix is included in stable kernel commits [1], [2], [3], [4]. Users should apply the latest stable kernel updates to remediate the vulnerability. No workaround is available for unpatched systems.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28nvdPatch
- git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160nvdPatch
- git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cdnvdPatch
- git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ecnvdPatch
- git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927anvdPatch
- git.kernel.org/stable/c/d6d5bd62a09650856e1e2010eb09853eba0d64e1nvdPatch
- git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987cnvdPatch
- git.kernel.org/stable/c/febf64ca79a2d6540ab6e5e197fa0f4f7e84473envdPatch
News mentions
1- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026