HIGH
net/sched QFQ StateValidation
CVE-2026-23105
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation.
02KernelScan AI Analysis
Risk summary
Systems using QFQ traffic control with privileged users are at risk. An attacker with CAP_NET_ADMIN can manipulate queue lengths to cause scheduler state inconsistencies, potentially leading to memory corruption or information disclosure.
Vulnerability analysis
The QFQ scheduler incorrectly relied on user-controllable queue length values (cl->qdisc->q.qlen) to determine class activation state in qfq_deact_rm_from_agg(). This allows attackers with traffic control privileges to manipulate qlen values and cause inconsistent internal state. The fix replaces this with cl_is_active(), which uses proper internal state tracking instead of trusting potentially manipulated queue lengths. Attack requires CAP_NET_ADMIN capability and active QFQ scheduler configuration.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | fac2c67bb2bb |
| 5.15 | 5.15.199 | b8c24cf5268f |
| 6.1 | 6.1.162 | f27047abf7ca |
| 6.12 | 6.12.68 | abd9fc26ea57 |
| 6.18 | 6.18.8 | 77f1afd0bb4d |
| 6.6 | 6.6.122 | 93b8635974fb |
| mainline | 6.19 | d837fbee9245 |