CVE-2026-22976

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset<br /> <br /> `qfq_class-&gt;leaf_qdisc-&gt;q.qlen &gt; 0` does not imply that the class<br /> itself is active.<br /> <br /> Two qfq_class objects may point to the same leaf_qdisc. This happens<br /> when:<br /> <br /> 1. one QFQ qdisc is attached to the dev as the root qdisc, and<br /> <br /> 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()<br /> / qdisc_put()) and is pending to be destroyed, as in function<br /> tc_new_tfilter.<br /> <br /> When packets are enqueued through the root QFQ qdisc, the shared<br /> leaf_qdisc-&gt;q.qlen increases. At the same time, the second QFQ<br /> qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters<br /> qfq_reset() with its own q-&gt;q.qlen == 0, but its class&amp;#39;s leaf<br /> qdisc-&gt;q.qlen &gt; 0. Therefore, the qfq_reset would wrongly deactivate<br /> an inactive aggregate and trigger a null-deref in qfq_deactivate_agg:<br /> <br /> [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 0.903571] #PF: supervisor write access in kernel mode<br /> [ 0.903860] #PF: error_code(0x0002) - not-present page<br /> [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0<br /> [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI<br /> [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE<br /> [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014<br /> [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))<br /> [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0<br /> <br /> Code starting with the faulting instruction<br /> ===========================================<br /> 0: 0f 84 4d 01 00 00 je 0x153<br /> 6: 48 89 70 18 mov %rsi,0x18(%rax)<br /> a: 8b 4b 10 mov 0x10(%rbx),%ecx<br /> d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx<br /> 14: 48 8b 78 08 mov 0x8(%rax),%rdi<br /> 18: 48 d3 e2 shl %cl,%rdx<br /> 1b: 48 21 f2 and %rsi,%rdx<br /> 1e: 48 2b 13 sub (%rbx),%rdx<br /> 21: 48 8b 30 mov (%rax),%rsi<br /> 24: 48 d3 ea shr %cl,%rdx<br /> 27: 8b 4b 18 mov 0x18(%rbx),%ecx<br /> ...<br /> [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246<br /> [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000<br /> [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000<br /> [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000<br /> [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880<br /> [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000<br /> [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0<br /> [ 0.910247] PKRU: 55555554<br /> [ 0.910391] Call Trace:<br /> [ 0.910527] <br /> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)<br /> [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)<br /> [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)<br /> [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)<br /> [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)<br /> [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)<br /> [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)<br /> [ 0.912484] netlink_sendmsg (net/netlink/af<br /> ---truncated---