CVE-2026-45845
published 2026-05-27CVE-2026-45845: In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is…
medium5.5
In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: fix NULL pointer dereference in class dump
When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()
is called with new == NULL and stores NULL into q->qdiscs[cl - 1].
Subsequent RTM_GETTCLASS dump operations walk all classes via
taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()
returning the NULL pointer, then dereferences it to read child->handle,
causing a kernel NULL pointer dereference.
The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel
with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user
namespaces enabled, an unprivileged local user can trigger a kernel
panic by creating a taprio qdisc inside a new network namespace,
grafting an explicit child qdisc, deleting it, and requesting a class
dump. The RTM_GETTCLASS dump itself requires no capability.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)
Call Trace:
tc_fill_tclass (net/sched/sch_api.c:1966)
qdisc_class_dump (net/sched/sch_api.c:2326)
taprio_walk (net/sched/sch_taprio.c:2514)
tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)
tc_dump_tclass_root (net/sched/sch_api.c:2370)
tc_dump_tclass (net/sched/sch_api.c:2431)
rtnl_dumpit (net/core/rtnetlink.c:6864)
netlink_dump (net/netlink/af_netlink.c:2325)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
Fix this by substituting &noop_qdisc when new is NULL in
taprio_graft(), a common pattern used by other qdiscs (e.g.,
multiq_graft()) to ensure the q->qdiscs[] slots are never NULL.
This makes control-plane dump paths safe without requiring individual
NULL checks.
Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)
previously had explicit NULL guards tha
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= 665338b2a7a0139337d1f85be65ed16e487f84c1 < ec2501e361b08b50bcb1e7b3253fc861abbda28d | ec2501e361b08b50bcb1e7b3253fc861abbda28d |
| linux | linux | >= 665338b2a7a0139337d1f85be65ed16e487f84c1 < d02e2fbf60de46678e2ea698a6a904fd21e1cc31 | d02e2fbf60de46678e2ea698a6a904fd21e1cc31 |
| linux | linux | >= 665338b2a7a0139337d1f85be65ed16e487f84c1 < 48b26d48e76221dc90b02bf5428bab53643461ca | 48b26d48e76221dc90b02bf5428bab53643461ca |
| linux | linux | >= 665338b2a7a0139337d1f85be65ed16e487f84c1 < 8f1ff8866cb9f655e5faea6994eb902960be8e04 | 8f1ff8866cb9f655e5faea6994eb902960be8e04 |
| linux | linux | >= 665338b2a7a0139337d1f85be65ed16e487f84c1 < 3d07ca5c0fae311226f737963984bd94bb159a87 | 3d07ca5c0fae311226f737963984bd94bb159a87 |
| linux | linux_kernel | — | — |