{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31422", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.088Z", "datePublished": "2026-04-13T13:40:25.911Z", "dateUpdated": "2026-05-11T22:08:24.111Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:24.111Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q->handle to derive\na default baseclass. Shared blocks leave block->q NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block->q and return -EINVAL\nfor shared blocks. This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n======================================================================="}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_flow.c"], "versions": [{"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "57f94ac7e953eece5ed4819605a18f3cdfc63dcc", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "942813276edeb1741fa5b0a73471beb4e495fa08", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "cc707a4fd4c3b6ab2722e06bc359aa010e13d408", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "4a09f72007201c9f667dc47f64517ec23eea65e5", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "a208c3e1232997e9317887294c20008dfcb75449", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "415ea0c973c754b9f375225807810eb9045f4293", "status": "affected", "versionType": "git"}, {"version": "1abf272022cf1d18469405f47b4ec49c6a3125db", "lessThan": "1a280dd4bd1d616a01d6ffe0de284c907b555504", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_flow.c"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc"}, {"url": "https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08"}, {"url": "https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408"}, {"url": "https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5"}, {"url": "https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e"}, {"url": "https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449"}, {"url": "https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293"}, {"url": "https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504"}], "title": "net/sched: cls_flow: fix NULL pointer dereference on shared blocks", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q->handle to derive\na default baseclass. Shared blocks leave block->q NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block->q and return -EINVAL\nfor shared blocks. This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n======================================================================="}], "id": "CVE-2026-31422", "lastModified": "2026-04-18T09:16:32.090", "metrics": {}, "published": "2026-04-13T14:16:11.907", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/57f94ac7e953eece5ed4819605a18f3cdfc63dcc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/942813276edeb1741fa5b0a73471beb4e495fa08"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/sched: cls_flow: fix NULL pointer dereference on shared blocks", "id": "2457834", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457834"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's networking scheduler (net/sched) component, specifically within the flow classifier (cls_flow). A local user could exploit this vulnerability by creating a flow filter without a fully qualified baseclass on a shared block. This action causes a null pointer dereference, which can lead to a system crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31422", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31422\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31422\nhttps://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31422-04eb@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,cc707a4fd4c3b6ab2722e06bc359aa010e13d408)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,4a09f72007201c9f667dc47f64517ec23eea65e5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,a208c3e1232997e9317887294c20008dfcb75449)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,415ea0c973c754b9f375225807810eb9045f4293)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1abf272022cf1d18469405f47b4ec49c6a3125db,1a280dd4bd1d616a01d6ffe0de284c907b555504)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.168,6.2.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.134,6.7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.81,6.13.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.22,6.19.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.12,6.20.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-14T02:23:53.876242+00:00", "value": {"mitigation_remediation": ["Check if the running kernel includes the commit that introduces the null\u2011check in tcf_block_shared(); if not, upgrade the kernel to the latest stable release that contains the patch.", "Verify the patch by reviewing the change list or running 'uname -r' to confirm the kernel version matches known fixed releases."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Kernel Crash"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel that includes the vulnerable cls_flow implementation and has not yet incorporated the patch adding a null\u2011check on shared blocks is affected. The vulnerability resides in the core kernel, so it applies to all distributions that ship the unpatched kernel source. Specific version identifiers are not listed in the data, but any kernel version preceding the commit that adds the check should be considered vulnerable.", "description_and_impact": "The vulnerability exists in the Linux kernel\u2019s traffic\u2011control module, specifically the cls_flow subsystem. When a flow filter is created on a shared block whose queue pointer is null, a function dereferences the handle of a null queue, resulting in a kernel panic. This is a pure crash condition that can cause the system to become unusable, but it does not allow execution of arbitrary code or compromise of data.", "risk_and_exploitability": "The CVSS score of 4.7 classifies the severity as moderate. An EPSS value is not available, and the flaw is not listed in CISA\u2019s KEV catalog, indicating no widespread confirmed exploitation. The data describes the kernel panic trigger but does not specify how to reach the vulnerable code. Based on the description, it is inferred that an attacker could need to send a specially crafted netlink message to the networking stack to create the problematic flow filter. However, the exact privilege level required (e.g., root, CAP_NET_ADMIN) is not directly stated in the available information. Consequently, the overall risk is moderate for hosts where an attacker can attain necessary privileges or influence networking configurations, while it is lower for environments lacking such access."}}}}, "created": "2026-04-14T16:19:18.386912+00:00", "updated": "2026-04-14T16:34:26.499587+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}