PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31423 Linux CVE debrief

CVE-2026-31423 is a Linux kernel availability issue in the sch_hfsc traffic scheduler. Under specific large-input conditions, a 64-bit difference is truncated into a 32-bit divisor in rtsc_min(), which can become zero and trigger a divide-by-zero kernel oops in the concave-curve intersection path. The CVE is rated medium severity (CVSS 5.5) and is primarily a denial-of-service concern for systems using the affected scheduler code.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Kernel maintainers, distro security teams, and operators running Linux kernels with traffic shaping / HFSC scheduler usage should review this CVE. It is most relevant where local users or privileged workloads can exercise the scheduler path, and where kernel availability is important.

Technical summary

The issue is in net/sched/sch_hfsc.c. The CVE description states that m2sm() can convert large u32 slope inputs into u64 scaled values reaching 2^32. rtsc_min() then stores the difference of two such u64 values in a u32 variable named dsm and uses that value as a divisor. When the true difference is exactly 2^32, truncation produces zero, leading to a divide-by-zero oops in rtsc_min() (shown at line 601 in the report) and a call chain through init_ed() and hfsc_enqueue(). The reported fix is to widen dsm to u64 and replace do_div() with div64_u64() so the full difference is preserved.

Defensive priority

Medium. This is an availability-impacting kernel bug with local-priority CVSS characteristics, but it can hard-crash or destabilize systems that hit the affected code path. For production kernels, it should be handled as a timely patch-management item rather than deferred.

Recommended defensive actions

  • Apply the kernel updates or backports that contain the sch_hfsc fix referenced in the official stable patch links.
  • Verify whether your distribution kernel includes the fix for the affected release series before assuming the upstream version range alone is sufficient.
  • If your environment does not use HFSC traffic control, confirm whether the scheduler code is nevertheless present in the running kernel and keep the fix in your normal kernel update cadence.
  • Prioritize patching on systems where kernel availability is critical or where untrusted or multi-tenant workloads may interact with traffic control features.
  • Track distro advisories and confirm the final fixed build for your kernel branch, since NVD lists multiple affected version ranges and backported stable branches.

Evidence notes

All claims here are based on the CVE description and NVD record provided in the corpus. The CVE description identifies the root cause, affected function, call trace context, and the intended fix. The NVD record marks the issue as analyzed, assigns CWE-369, provides CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and lists broad affected Linux kernel version ranges with several stable patch references. Published date used here is the CVE publication timestamp 2026-04-13T14:16:12.070Z; modified timestamp 2026-05-20T18:06:31.413Z is treated only as update context.

Official resources

CVE published 2026-04-13T14:16:12.070Z and later modified 2026-05-20T18:06:31.413Z. No evidence in the provided corpus indicates KEV listing, ransomware use, or public exploitation details.