HIGH
net/sched QFQ UAF
CVE-2026-22999
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.6HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the QFQ traffic scheduler allows local attackers with CAP_NET_ADMIN to cause kernel crashes or potentially execute arbitrary code. The bug occurs when modifying existing QFQ classes through netlink, incorrectly freeing objects still in use.
Vulnerability analysis
The qfq_change_class() function incorrectly frees existing class objects and their associated qdiscs in error paths, even when modifying existing classes rather than creating new ones. This creates a use-after-free condition where freed memory may still be referenced elsewhere in the kernel. The fix adds a conditional check to only free objects when creating new classes, preventing the premature deallocation. Attack surface is local through TC netlink sockets requiring CAP_NET_ADMIN capability, which is obtainable in user namespaces on default kernels.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | 2a64fb9b47af |
| 5.15 | 5.15.199 | cff6cd703f41 |
| 6.1 | 6.1.162 | f06f7635499b |
| 6.12 | 6.12.67 | 362e269bb03f |
| 6.18 | 6.18.7 | e9d8f11652fa |
| 6.6 | 6.6.122 | 0a234660dc70 |
| mainline | 6.19 | 3879cffd9d07 |