NULL Pointer Dereference Vulnerability in Linux Kernel Network Scheduler
CVE-2026-31421

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-31421?

A NULL pointer dereference vulnerability exists in the Linux kernel's network scheduler, specifically within the fw_classify function. This issue arises when shared blocks leave a NULL value for block->q, which leads to a dereference when an empty cls_fw filter is attached. As a result, configurations using the deprecated fw_change method on shared blocks can trigger this vulnerability, leading to potential system instability. The issue has been addressed to ensure that configurations are properly rejected, preventing the circumstances that would cause the NULL pointer dereference.

Affected Version(s)

Linux 1abf272022cf1d18469405f47b4ec49c6a3125db < 3d41f9a314afa94b1c7c7c75405920123220e8cd

Linux 1abf272022cf1d18469405f47b4ec49c6a3125db < 18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28

Linux 1abf272022cf1d18469405f47b4ec49c6a3125db < 5cf41031922c154aa5ccda8bcdb0f5e6226582ec

References

https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c754...

https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a...

https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bc...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31421 Data

JSON