{"id":"CVE-2026-22976","summary":"net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\n\n`qfq_class-\u003eleaf_qdisc-\u003eq.qlen \u003e 0` does not imply that the class\nitself is active.\n\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\nwhen:\n\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\n\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\n/ qdisc_put()) and is pending to be destroyed, as in function\ntc_new_tfilter.\n\nWhen packets are enqueued through the root QFQ qdisc, the shared\nleaf_qdisc-\u003eq.qlen increases. At the same time, the second QFQ\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\nqfq_reset() with its own q-\u003eq.qlen == 0, but its class's leaf\nqdisc-\u003eq.qlen \u003e 0. Therefore, the qfq_reset would wrongly deactivate\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\n\n[    0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[    0.903571] #PF: supervisor write access in kernel mode\n[    0.903860] #PF: error_code(0x0002) - not-present page\n[    0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\n[    0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\n[    0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\n[    0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[    0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\n[    0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\n\nCode starting with the faulting instruction\n===========================================\n   0:\t0f 84 4d 01 00 00    \tje     0x153\n   6:\t48 89 70 18          \tmov    %rsi,0x18(%rax)\n   a:\t8b 4b 10             \tmov    0x10(%rbx),%ecx\n   d:\t48 c7 c2 ff ff ff ff \tmov    $0xffffffffffffffff,%rdx\n  14:\t48 8b 78 08          \tmov    0x8(%rax),%rdi\n  18:\t48 d3 e2             \tshl    %cl,%rdx\n  1b:\t48 21 f2             \tand    %rsi,%rdx\n  1e:\t48 2b 13             \tsub    (%rbx),%rdx\n  21:\t48 8b 30             \tmov    (%rax),%rsi\n  24:\t48 d3 ea             \tshr    %cl,%rdx\n  27:\t8b 4b 18             \tmov    0x18(%rbx),%ecx\n\t...\n[    0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\n[    0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\n[    0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[    0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\n[    0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\n[    0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\n[    0.909179] FS:  000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\n[    0.909572] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\n[    0.910247] PKRU: 55555554\n[    0.910391] Call Trace:\n[    0.910527]  \u003cTASK\u003e\n[    0.910638]  qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\n[    0.910826]  qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\n[    0.911040]  __qdisc_destroy (net/sched/sch_generic.c:1076)\n[    0.911236]  tc_new_tfilter (net/sched/cls_api.c:2447)\n[    0.911447]  rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\n[    0.911663]  ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\n[    0.911894]  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n[    0.912100]  netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n[    0.912296]  ? __alloc_skb (net/core/skbuff.c:706)\n[    0.912484]  netlink_sendmsg (net/netlink/af\n---truncated---","modified":"2026-03-31T17:29:49.093698Z","published":"2026-01-21T06:57:23.939Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22976.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95"},{"type":"WEB","url":"https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22976.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22976"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0545a3037773512d3448557ba048cebb73b3e4af"},{"fixed":"6116a83ec167d3ab1390cded854d237481f41b63"},{"fixed":"0809c4bc06c9c961222df29f2eccfd449304056f"},{"fixed":"cdb24200b043438a144df501f1ebbd926bb1a2c7"},{"fixed":"11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb"},{"fixed":"43497313d0da3e12b5cfcd97aa17bf48ee663f95"},{"fixed":"51ffd447bc37bf1a5776b85523f51d2bc69977f6"},{"fixed":"c1d73b1480235731e35c81df70b08f4714a7d095"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22976.json"}}],"schema_version":"1.7.5"}