{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22987", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.937Z", "datePublished": "2026-01-23T15:24:08.865Z", "dateUpdated": "2026-05-11T21:57:48.634Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:48.634Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy\n\nsyzbot reported a crash in tc_act_in_hw() during netns teardown where\ntcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action\npointer, leading to an invalid dereference.\n\nGuard against ERR_PTR entries when iterating the action IDR so teardown\ndoes not call tc_act_in_hw() on an error pointer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/act_api.c"], "versions": [{"version": "84a7d6797e6a03705e6b48c613fa424662049d87", "lessThan": "67550a1130b647bb0d093c9c0a810c69aa6a30a8", "status": "affected", "versionType": "git"}, {"version": "84a7d6797e6a03705e6b48c613fa424662049d87", "lessThan": "adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/act_api.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8"}, {"url": "https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c"}], "title": "net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F535E896-F773-4ED1-84E6-317F81D02785", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy\n\nsyzbot reported a crash in tc_act_in_hw() during netns teardown where\ntcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action\npointer, leading to an invalid dereference.\n\nGuard against ERR_PTR entries when iterating the action IDR so teardown\ndoes not call tc_act_in_hw() on an error pointer."}], "id": "CVE-2026-22987", "lastModified": "2026-02-26T18:49:04.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T16:15:54.757", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy", "id": "2432377", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2432377"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-22987", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22987\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22987\nhttps://lore.kernel.org/linux-cve-announce/2026012350-CVE-2026-22987-8984@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:13:08.171173+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that incorporates the fix for this issue, such as any release following 6.19 rc4 that includes the patch shown in the advisory.", "If an immediate kernel upgrade is not possible, limit or disable automated or untrusted processes that perform network namespace teardown until the patch is applied.", "Configure system monitoring to generate alerts on kernel panic or abnormal shutdown events to detect exploitation attempts early."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Linux kernel releases that include the buggy net/sched code. Known affected builds are the 6.19 release candidates rc1, rc2, rc3, and rc4, as identified by the provided CPE entries. Earlier kernel versions that contain the same code path may also be vulnerable, but this is not explicitly confirmed in the advisory.", "description_and_impact": "In the Linux kernel\u2019s traffic control subsystem (net/sched), an error handling flaw caused the system to dereference an invalid error pointer during the destruction of a network namespace. This invalid dereference resulted in a kernel panic, disrupting system availability. The weakness is a null pointer dereference (CWE\u2011476).", "risk_and_exploitability": "The CVSS score of 5.5 indicates medium severity, and the EPSS score is below 1%, with no listing in the CISA KEV catalog. The flaw is locally exploitable in the context of kernel operations that delete a network namespace, which typically requires administrative or privilege\u2011escalated access. An attacker would need to trigger a namespace teardown to cause the crash; remote triggering or code execution is not required. Overall, the risk is moderate, principally impacting system availability for users with sufficient privileges on affected kernel versions."}}}}, "created": "2026-04-18T15:15:03.695889+00:00", "updated": "2026-04-18T15:15:03.695899+00:00", "vendors": []}