CVE-2026-22999

Опубликовано: 25 янв. 2026

Источник: redhat

CVSS3: 5.5

EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.

Отчет

A use-after-free can occur in sch_qfq when qfq_change_class() hits an error path that incorrectly frees an already-existing class/qdisc. An attacker with network administration capabilities (typically CAP_NET_ADMIN, often obtainable inside a user namespace) can trigger the bug via crafted tc class changes, leading to a kernel crash.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	kernel	Not affected
Red Hat Enterprise Linux 6	kernel	Out of support scope
Red Hat Enterprise Linux 7	kernel	Affected
Red Hat Enterprise Linux 7	kernel-rt	Affected
Red Hat Enterprise Linux 8	kernel	Affected
Red Hat Enterprise Linux 8	kernel-rt	Affected
Red Hat Enterprise Linux 9	kernel	Not affected
Red Hat Enterprise Linux 9	kernel-rt	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2432667kernel: net/sched: sch_qfq: do not free existing class in qfq_change_class()

EPSS

Процентиль: 1%

0.00009

Низкий

5.5 Medium

CVSS3

Связанные уязвимости

CVE-2026-22999

CVSS3: 5.5

ubuntu

около 2 месяцев назад

CVE-2026-22999

CVSS3: 5.5

nvd

около 2 месяцев назад

CVE-2026-22999

CVSS3: 5.5

msrc

26 дней назад

net/sched: sch_qfq: do not free existing class in qfq_change_class()

CVE-2026-22999

CVSS3: 5.5

debian

около 2 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: n ...

GHSA-3phq-r8q7-gf9j

CVSS3: 5.5

github

около 2 месяцев назад

EPSS

Процентиль: 1%

0.00009

Низкий

5.5 Medium

CVSS3