PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43496 Linux CVE debrief

CVE-2026-43496 is a Linux kernel networking bug in sch_red that can trigger a kernel panic when red is used with certain child qdiscs, including ones whose peek callback is qdisc_peek_dequeued(). The supplied record describes a failing parent/child dequeue sequence and includes a KASAN null-pointer dereference trace. The fix changes sch_red to use qdisc_dequeue_peeked() after peeking, instead of directly calling the child dequeue path.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators using traffic-control qdiscs should review this issue, especially deployments that combine sch_red with child qdiscs such as qfq and parent schedulers such as tbf. Any environment relying on kernel packet shaping or queue discipline chaining may be affected if it uses the described pattern.

Technical summary

The issue occurs when sch_red has child qdiscs whose peek() behavior is tied to qdisc_peek_dequeued(). In the described flow, the parent peeks at red, red peeks into its child, and then red incorrectly invokes the child's dequeue() path directly. That can leave the child in an invalid state and leads to a null-pointer dereference/panic in qfq_dequeue(), as shown in the supplied trace. The resolved change replaces the direct dequeue call with qdisc_dequeue_peeked() so the skb is taken from the expected peeked state, including the gso_skb queue path described in the record.

Defensive priority

High for systems using the affected qdisc combinations; the issue can crash the kernel and disrupt networking.

Recommended defensive actions

  • Apply the Linux kernel stable fixes referenced in the official record and backport them to affected branches.
  • Inventory hosts that use sch_red, qfq, tbf, or related traffic-control chains to identify exposure.
  • Test any traffic shaping or QoS configurations that rely on queue discipline chaining after patching.
  • Monitor for kernel panic or KASAN-style crash reports tied to qdisc dequeue paths.
  • If you cannot patch immediately, minimize use of the affected sch_red/qfq/tbf combination in production.

Evidence notes

The supplied CVE description states that sch_red can panic when used with child qdiscs whose peek() callback is qdisc_peek_dequeued(), and it explicitly says the fix is to replace the direct dequeue call with qdisc_dequeue_peeked(). The included crash trace shows a null-ptr-deref in qfq_dequeue() reached via red_dequeue() and tbf_dequeue(). The official NVD record links five Linux kernel stable commit URLs associated with the fix. No CVSS score or vector was provided in the source record.

Official resources

The supplied source record shows CVE publication and modification at 2026-05-21T13:16:18.960Z. That timestamp should be used as the disclosure context for this CVE.