{"cve":{"cve_id":"CVE-2026-53080","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL dereference of \"old\" filters before change()\n\nLike pointed out by Sashiko [1], since commit ed76f5edccc9 (\"net: sched:\nprotect filter_chain list with filter_chain_lock mutex\") TC filters are\nadded to a shared block and published to datapath before their ->change()\nfunction is called. This is a problem for cls_fw: an invalid filter\ncreated with the \"old\" method can still classify some packets before it\nis destroyed by the validation logic added by Xiang.\nTherefore, insisting with repeated runs of the following script:\n\n # ip link add dev crash0 type dummy\n # ip link set dev crash0 up\n # mausezahn  crash0 -c 100000 -P 10 \\\n > -A 4.3.2.1 -B 1.2.3.4 -t udp \"dp=1234\" -q &\n # sleep 1\n # tc qdisc add dev crash0 egress_block 1 clsact\n # tc filter add block 1 protocol ip prio 1 matchall \\\n > action skbedit mark 65536 continue\n # tc filter add block 1 protocol ip prio 2 fw\n # ip link del dev crash0\n\ncan still make fw_classify() hit the WARN_ON() in [2]:\n\n WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399\n Modules linked in: cls_fw(E) act_skbedit(E)\n CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G            E       7.0.0-rc6-virtme #17 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014\n RIP: 0010:fw_classify+0x244/0x250 [cls_fw]\n Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202\n RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004\n RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40\n RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0\n R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000\n R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000\n FS:  00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0\n Call Trace:\n  <TASK>\n  tcf_classify+0x17d/0x5c0\n  tc_run+0x9d/0x150\n  __dev_queue_xmit+0x2ab/0x14d0\n  ip_finish_output2+0x340/0x8f0\n  ip_output+0xa4/0x250\n  raw_sendmsg+0x147d/0x14b0\n  __sys_sendto+0x1cc/0x1f0\n  __x64_sys_sendto+0x24/0x30\n  do_syscall_64+0x126/0xf80\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fca40e822ba\n Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba\n RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003\n RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e\n R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000\n  </TASK>\n irq event stamp: 1045778\n hardirqs last  enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60\n hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60\n softirqs last  enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260\n softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0\n\nThen, because of the value in the packet's mark, dereference on 'q->handle'\nwith NULL 'q' occurs:\n\n BUG: kernel NULL  pointer dereference, address: 0000000000000038\n [...]\n RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]\n [...]\n\nSkip \"old-style\" classification on shared blocks, so that the NULL\ndereference is fixed and WARN_ON() is not hit anymore in the short\nlifetime of invalid cls_fw \"old-style\" filters.\n\n[1] https://sashiko.dev/#/patchset/2\n---truncated---","published_at":"2026-06-24T16:30:21.172000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0","https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049","https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92","https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799","https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c","https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634","https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748","https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:28.590503Z","updated_at":"2026-06-28T23:30:50.753831Z"},"effective_severity":null,"badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"a719275da488835e987d28effc04679b4aace3a0","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:a719275da488835e987d28effc04679b4aace3a0"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"c205da704c84eeb4247d770150440294fd547049","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:c205da704c84eeb4247d770150440294fd547049"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"5dcce34c57d5e5990869384d69deeb9414bf9b92","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:5dcce34c57d5e5990869384d69deeb9414bf9b92"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"5df49f0579f7e625f2358a219d31fbc7621be799","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:5df49f0579f7e625f2358a219d31fbc7621be799"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"41845bc5bb64f3d615abe575ad655b5e7f193634","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:41845bc5bb64f3d615abe575ad655b5e7f193634"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"4fabcfea7a9dd159df32c5df6587fe858cb0d748","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:4fabcfea7a9dd159df32c5df6587fe858cb0d748"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"ed76f5edccc98fa66f2337f0b3b255d6e1a568b7","version_start_inclusive":true,"version_end":"65782b2db7321d5f97c16718c4c7f6c7205a56be","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:ed76f5edccc98fa66f2337f0b3b255d6e1a568b7:65782b2db7321d5f97c16718c4c7f6c7205a56be"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.1","version_start_inclusive":true,"version_end":"5.1","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.1:5.1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"5.1","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:5.1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.10.259","version_start_inclusive":true,"version_end":"5.10.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.10.259:5.10.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.15.210","version_start_inclusive":true,"version_end":"5.15.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.15.210:5.15.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.1.176","version_start_inclusive":true,"version_end":"6.1.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.1.176:6.1.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.6.143","version_start_inclusive":true,"version_end":"6.6.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.6.143:6.6.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.12.93","version_start_inclusive":true,"version_end":"6.12.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.12.93:6.12.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.35","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.35:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.10","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.10:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-24T16:30:21.172000Z","label":"CVE published","source":null}]}