PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31421 Linux CVE debrief

CVE-2026-31421 is a Linux kernel net/sched cls_fw bug that can trigger a NULL pointer dereference in fw_classify() when the old-method path is used on a shared block. The issue is reached when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified, which can crash the kernel and affect availability. The fix rejects that configuration in fw_change() for shared blocks.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and operators running traffic-control or cls_fw configurations on affected kernels should care most. Systems that expose local users or administrative workflows that can configure tc filters are the practical focus, because the CVSS vector is local and low-privilege.

Technical summary

The vulnerability is a CWE-476 NULL pointer dereference in net/sched/cls_fw.c. In the old-method path, fw_classify() calls tcf_block_q() and dereferences q->handle, but shared blocks leave block->q unset, so a NULL dereference occurs during classification. NVD rates the issue CVSS 3.1 5.5/Medium with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. NVD also lists affected Linux kernel ranges starting at 4.15 and ending before the fixed maintenance releases, plus the 7.0 release candidates called out in the record.

Defensive priority

High for systems that use cls_fw with shared blocks, because the impact is a kernel crash/availability loss and the vulnerable path can be exercised during packet classification. Priority is lower for environments that do not use traffic-control firewall classifiers or shared blocks, but affected kernels should still be patched promptly.

Recommended defensive actions

  • Apply the Linux kernel fixes referenced by the official stable patches linked in the NVD record.
  • Update to a kernel version at or above the fixed maintenance releases listed by NVD for your branch.
  • Review tc/cls_fw usage for shared blocks and avoid configurations that rely on the old-method path until patched.
  • Confirm whether any local administrative tooling or automation creates empty cls_fw filters on shared blocks.
  • Track vendor kernel advisories for backported fixes if you do not run upstream-stable kernels.

Evidence notes

This debrief is based on the CVE record description and the NVD record marked Analyzed. The supplied CVE text states the failure mode: an empty cls_fw filter on a shared block can cause fw_classify() to dereference block->q/q->handle and hit a NULL pointer dereference when classifying a packet with a nonzero major skb mark. NVD classifies the weakness as CWE-476 and assigns CVSS 3.1 5.5/Medium with local, low-privilege impact limited to availability. The official NVD record also provides affected-version criteria and links to kernel.org stable patch references.

Official resources

CVE published on 2026-04-13T14:16:11.740Z and last modified on 2026-05-20T18:10:34.707Z, per the supplied CVE/NVD timeline fields. The supplied record does not indicate KEV inclusion.