{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31421", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.088Z", "datePublished": "2026-04-13T13:40:25.278Z", "dateUpdated": "2026-05-11T22:08:22.956Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:22.956Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q->handle. Shared blocks leave block->q NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()'s\nold-method path needs block->q which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n tc_run (net/core/dev.c:4401)\n __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_fw.c"], "versions": [{"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "d6d5bd62a09650856e1e2010eb09853eba0d64e1", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "febf64ca79a2d6540ab6e5e197fa0f4f7e84473e", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "3d41f9a314afa94b1c7c7c75405920123220e8cd", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "5cf41031922c154aa5ccda8bcdb0f5e6226582ec", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "3cb055df9e8625ce699a259d8178d67b37f2b160", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "96426c348def662b06bfdc65be3002905604927a", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "faeea8bbf6e958bf3c00cb08263109661975987c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_fw.c"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d6d5bd62a09650856e1e2010eb09853eba0d64e1"}, {"url": "https://git.kernel.org/stable/c/febf64ca79a2d6540ab6e5e197fa0f4f7e84473e"}, {"url": "https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd"}, {"url": "https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28"}, {"url": "https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ec"}, {"url": "https://git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160"}, {"url": "https://git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927a"}, {"url": "https://git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987c"}], "title": "net/sched: cls_fw: fix NULL pointer dereference on shared blocks", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q->handle. Shared blocks leave block->q NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()'s\nold-method path needs block->q which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n tc_run (net/core/dev.c:4401)\n __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)"}], "id": "CVE-2026-31421", "lastModified": "2026-04-18T09:16:31.920", "metrics": {}, "published": "2026-04-13T14:16:11.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d6d5bd62a09650856e1e2010eb09853eba0d64e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/febf64ca79a2d6540ab6e5e197fa0f4f7e84473e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/sched: cls_fw: fix NULL pointer dereference on shared blocks", "id": "2457824", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457824"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's `cls_fw` network scheduler component. This vulnerability, a null pointer dereference, occurs when an empty `cls_fw` filter is attached to a shared block and a specially crafted network packet with a specific mark is processed. An attacker with network access could potentially exploit this to cause a system crash, leading to a Denial of Service (DoS)."], "name": "CVE-2026-31421", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31421\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31421\nhttps://lore.kernel.org/linux-cve-announce/2026041355-CVE-2026-31421-78d7@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,3d41f9a314afa94b1c7c7c75405920123220e8cd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,5cf41031922c154aa5ccda8bcdb0f5e6226582ec)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,3cb055df9e8625ce699a259d8178d67b37f2b160)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,96426c348def662b06bfdc65be3002905604927a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,faeea8bbf6e958bf3c00cb08263109661975987c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.134,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-14T01:28:02.158048+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the cls_fw null dereference fix", "Verify the kernel version with \"uname -r\" to ensure the patch is applied", "If immediate kernel upgrade is not possible, avoid configuring empty cls_fw filters on shared blocks to reduce risk"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "Vendors affected are Linux distributions that ship the Linux kernel. The issue exists in any kernel that has exposed the cls_fw filter and shared block functionality without the patch. No specific version numbers are listed, so any kernel prior to the fix commit is potentially vulnerable.", "description_and_impact": "A null pointer dereference occurs in the cls_fw traffic-control filter when an empty cls_fw filter is attached to a shared block and a packet with a non-zero major skb mark is classified. The vulnerability can cause a kernel panic, leading to a service interruption. The weakness is a NULL pointer dereference, CWE-476.", "risk_and_exploitability": "The CVSS score is 5.5, indicating a moderate severity. The exploit is local and requires permission to configure traffic-control filters, so it is unlikely to be remotely exploitable without elevated privileges. No EPSS value is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation activity. The typical attack path would be an attacker who can deploy traffic-control filters on the machine; they would attach an empty cls_fw filter to a shared block and send a traffic packet with a non\u2013zero mark to trigger the crash."}}}}, "created": "2026-04-14T16:19:19.514977+00:00", "updated": "2026-04-14T16:34:27.512941+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}