CVE-2026-31422

CVE-2026-31422 is a NULL pointer dereference vulnerability in the Linux kernel's network traffic control subsystem, specifically in the cls_flow classifier. The root cause lies in the flow_change() function, which unconditionally calls tcf_block_q() to obtain the Qdisc handle from a block pointer. When a flow filter is created on a shared block, the block's q field is NULL because shared blocks are not associated with a single Qdisc. Dereferencing this NULL pointer leads to a kernel crash, as demonstrated by the KASAN report in the commit message [1][2][3].

An attacker can trigger this vulnerability locally by creating a traffic control filter with the flow classifier on a shared block. No authentication is required beyond the ability to execute tc commands or use a netlink socket to add a filter. The attack surface is accessible to any unprivileged user on the system who can create a netlink socket and invoke the TC_NEWTFILTER operation. The shared block can be set up by creating an ingress qdisc with the block flag or by binding multiple qdiscs to the same block [4][1].

Successful exploitation results in a NULL pointer dereference in the kernel, leading to a system crash (denial of service). The impact is limited to availability, as the crash causes a kernel panic or oops, terminating the affected process and potentially the entire system. The CVSS v3 score of 5.5 (Medium) reflects this local, low-complexity DoS impact [2].

The fix, introduced in several stable kernel commits, adds a check for tcf_block_shared() before accessing block->q. If the block is shared, flow_change() returns -EINVAL, preventing the NULL dereference. Administrators are advised to apply the respective kernel patch for their distribution. As of the publication date, no known exploitation in the wild has been reported, and the vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog [3][4].