DEBIAN-CVE-2026-31421
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks. The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | linux | *, 6.12.9-1~bpo12+1, 6.13.10-1~exp1 |
| Debian:13 | linux | 6.12.85-1, 6.12.74-2, 6.12.74-2 |
| Debian:11 | linux | 5.16.7-2, 6.10.4-1, 6.10.6-1 |
| Debian:14 | linux | 6.16.12-1, 6.19, 6.19 |
| Debian:11 | linux-6.1 | 6.1.106-3, 6.1.106-3, 6.1.106-3 |
Timeline
- Apr 13, 2026 CVE Published
- May 2, 2026 CVE Updated