{"api_version":"1","generated_at":"2026-06-25T11:33:49+00:00","cve":"CVE-2026-53080","urls":{"html":"https://cve.report/CVE-2026-53080","api":"https://cve.report/api/cve/CVE-2026-53080.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53080","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53080"},"summary":{"title":"net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL dereference of \"old\" filters before change()\n\nLike pointed out by Sashiko [1], since commit ed76f5edccc9 (\"net: sched:\nprotect filter_chain list with filter_chain_lock mutex\") TC filters are\nadded to a shared block and published to datapath before their ->change()\nfunction is called. This is a problem for cls_fw: an invalid filter\ncreated with the \"old\" method can still classify some packets before it\nis destroyed by the validation logic added by Xiang.\nTherefore, insisting with repeated runs of the following script:\n\n # ip link add dev crash0 type dummy\n # ip link set dev crash0 up\n # mausezahn  crash0 -c 100000 -P 10 \\\n > -A 4.3.2.1 -B 1.2.3.4 -t udp \"dp=1234\" -q &\n # sleep 1\n # tc qdisc add dev crash0 egress_block 1 clsact\n # tc filter add block 1 protocol ip prio 1 matchall \\\n > action skbedit mark 65536 continue\n # tc filter add block 1 protocol ip prio 2 fw\n # ip link del dev crash0\n\ncan still make fw_classify() hit the WARN_ON() in [2]:\n\n WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399\n Modules linked in: cls_fw(E) act_skbedit(E)\n CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G            E       7.0.0-rc6-virtme #17 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014\n RIP: 0010:fw_classify+0x244/0x250 [cls_fw]\n Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202\n RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004\n RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40\n RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0\n R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000\n R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000\n FS:  00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0\n Call Trace:\n  <TASK>\n  tcf_classify+0x17d/0x5c0\n  tc_run+0x9d/0x150\n  __dev_queue_xmit+0x2ab/0x14d0\n  ip_finish_output2+0x340/0x8f0\n  ip_output+0xa4/0x250\n  raw_sendmsg+0x147d/0x14b0\n  __sys_sendto+0x1cc/0x1f0\n  __x64_sys_sendto+0x24/0x30\n  do_syscall_64+0x126/0xf80\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fca40e822ba\n Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba\n RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003\n RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e\n R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000\n  </TASK>\n irq event stamp: 1045778\n hardirqs last  enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60\n hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60\n softirqs last  enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260\n softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0\n\nThen, because of the value in the packet's mark, dereference on 'q->handle'\nwith NULL 'q' occurs:\n\n BUG: kernel NULL  pointer dereference, address: 0000000000000038\n [...]\n RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]\n [...]\n\nSkip \"old-style\" classification on shared blocks, so that the NULL\ndereference is fixed and WARN_ON() is not hit anymore in the short\nlifetime of invalid cls_fw \"old-style\" filters.\n\n[1] https://sashiko.dev/#/patchset/2\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:22","updated_at":"2026-06-24 17:17:22"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be","name":"https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0","name":"https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92","name":"https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049","name":"https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748","name":"https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c","name":"https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799","name":"https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634","name":"https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53080","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53080","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 a719275da488835e987d28effc04679b4aace3a0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 c205da704c84eeb4247d770150440294fd547049 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 5dcce34c57d5e5990869384d69deeb9414bf9b92 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 5df49f0579f7e625f2358a219d31fbc7621be799 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 41845bc5bb64f3d615abe575ad655b5e7f193634 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 4fabcfea7a9dd159df32c5df6587fe858cb0d748 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 65782b2db7321d5f97c16718c4c7f6c7205a56be git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.1","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.1 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.93 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.35 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/sched/cls_fw.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a719275da488835e987d28effc04679b4aace3a0","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"c205da704c84eeb4247d770150440294fd547049","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"5dcce34c57d5e5990869384d69deeb9414bf9b92","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"5df49f0579f7e625f2358a219d31fbc7621be799","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"41845bc5bb64f3d615abe575ad655b5e7f193634","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"4fabcfea7a9dd159df32c5df6587fe858cb0d748","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"},{"lessThan":"65782b2db7321d5f97c16718c4c7f6c7205a56be","status":"affected","version":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/sched/cls_fw.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.1"},{"lessThan":"5.1","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.93","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.35","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.93","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.35","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"5.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL dereference of \"old\" filters before change()\n\nLike pointed out by Sashiko [1], since commit ed76f5edccc9 (\"net: sched:\nprotect filter_chain list with filter_chain_lock mutex\") TC filters are\nadded to a shared block and published to datapath before their ->change()\nfunction is called. This is a problem for cls_fw: an invalid filter\ncreated with the \"old\" method can still classify some packets before it\nis destroyed by the validation logic added by Xiang.\nTherefore, insisting with repeated runs of the following script:\n\n # ip link add dev crash0 type dummy\n # ip link set dev crash0 up\n # mausezahn  crash0 -c 100000 -P 10 \\\n > -A 4.3.2.1 -B 1.2.3.4 -t udp \"dp=1234\" -q &\n # sleep 1\n # tc qdisc add dev crash0 egress_block 1 clsact\n # tc filter add block 1 protocol ip prio 1 matchall \\\n > action skbedit mark 65536 continue\n # tc filter add block 1 protocol ip prio 2 fw\n # ip link del dev crash0\n\ncan still make fw_classify() hit the WARN_ON() in [2]:\n\n WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399\n Modules linked in: cls_fw(E) act_skbedit(E)\n CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G            E       7.0.0-rc6-virtme #17 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014\n RIP: 0010:fw_classify+0x244/0x250 [cls_fw]\n Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202\n RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004\n RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40\n RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0\n R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000\n R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000\n FS:  00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0\n Call Trace:\n  <TASK>\n  tcf_classify+0x17d/0x5c0\n  tc_run+0x9d/0x150\n  __dev_queue_xmit+0x2ab/0x14d0\n  ip_finish_output2+0x340/0x8f0\n  ip_output+0xa4/0x250\n  raw_sendmsg+0x147d/0x14b0\n  __sys_sendto+0x1cc/0x1f0\n  __x64_sys_sendto+0x24/0x30\n  do_syscall_64+0x126/0xf80\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fca40e822ba\n Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba\n RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003\n RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e\n R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000\n  </TASK>\n irq event stamp: 1045778\n hardirqs last  enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60\n hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60\n softirqs last  enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260\n softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0\n\nThen, because of the value in the packet's mark, dereference on 'q->handle'\nwith NULL 'q' occurs:\n\n BUG: kernel NULL  pointer dereference, address: 0000000000000038\n [...]\n RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]\n [...]\n\nSkip \"old-style\" classification on shared blocks, so that the NULL\ndereference is fixed and WARN_ON() is not hit anymore in the short\nlifetime of invalid cls_fw \"old-style\" filters.\n\n[1] https://sashiko.dev/#/patchset/2\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-06-24T16:30:21.172Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0"},{"url":"https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049"},{"url":"https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92"},{"url":"https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799"},{"url":"https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c"},{"url":"https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634"},{"url":"https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748"},{"url":"https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be"}],"title":"net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53080","datePublished":"2026-06-24T16:30:21.172Z","dateReserved":"2026-06-09T07:44:35.383Z","dateUpdated":"2026-06-24T16:30:21.172Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:22","lastModifiedDate":"2026-06-24 17:17:22","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53080","Ordinal":"1","Title":"net/sched: cls_fw: fix NULL dereference of \"old\" filters before ","CVE":"CVE-2026-53080","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53080","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL dereference of \"old\" filters before change()\n\nLike pointed out by Sashiko [1], since commit ed76f5edccc9 (\"net: sched:\nprotect filter_chain list with filter_chain_lock mutex\") TC filters are\nadded to a shared block and published to datapath before their ->change()\nfunction is called. This is a problem for cls_fw: an invalid filter\ncreated with the \"old\" method can still classify some packets before it\nis destroyed by the validation logic added by Xiang.\nTherefore, insisting with repeated runs of the following script:\n\n # ip link add dev crash0 type dummy\n # ip link set dev crash0 up\n # mausezahn  crash0 -c 100000 -P 10 \\\n > -A 4.3.2.1 -B 1.2.3.4 -t udp \"dp=1234\" -q &\n # sleep 1\n # tc qdisc add dev crash0 egress_block 1 clsact\n # tc filter add block 1 protocol ip prio 1 matchall \\\n > action skbedit mark 65536 continue\n # tc filter add block 1 protocol ip prio 2 fw\n # ip link del dev crash0\n\ncan still make fw_classify() hit the WARN_ON() in [2]:\n\n WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399\n Modules linked in: cls_fw(E) act_skbedit(E)\n CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G            E       7.0.0-rc6-virtme #17 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014\n RIP: 0010:fw_classify+0x244/0x250 [cls_fw]\n Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202\n RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004\n RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40\n RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0\n R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000\n R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000\n FS:  00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0\n Call Trace:\n  <TASK>\n  tcf_classify+0x17d/0x5c0\n  tc_run+0x9d/0x150\n  __dev_queue_xmit+0x2ab/0x14d0\n  ip_finish_output2+0x340/0x8f0\n  ip_output+0xa4/0x250\n  raw_sendmsg+0x147d/0x14b0\n  __sys_sendto+0x1cc/0x1f0\n  __x64_sys_sendto+0x24/0x30\n  do_syscall_64+0x126/0xf80\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fca40e822ba\n Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba\n RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003\n RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e\n R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000\n  </TASK>\n irq event stamp: 1045778\n hardirqs last  enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60\n hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60\n softirqs last  enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260\n softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0\n\nThen, because of the value in the packet's mark, dereference on 'q->handle'\nwith NULL 'q' occurs:\n\n BUG: kernel NULL  pointer dereference, address: 0000000000000038\n [...]\n RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]\n [...]\n\nSkip \"old-style\" classification on shared blocks, so that the NULL\ndereference is fixed and WARN_ON() is not hit anymore in the short\nlifetime of invalid cls_fw \"old-style\" filters.\n\n[1] https://sashiko.dev/#/patchset/2\n---truncated---","Type":"Description","Title":"net/sched: cls_fw: fix NULL dereference of \"old\" filters before "}]}}}