{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.2",
    "cveMetadata": {
        "cveId": "CVE-2026-22976",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2026-01-13T15:37:45.935Z",
        "datePublished": "2026-01-21T06:57:23.939Z",
        "dateUpdated": "2026-06-11T18:44:22.605Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2026-05-11T21:57:35.535Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\n\n`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class\nitself is active.\n\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\nwhen:\n\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\n\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\n/ qdisc_put()) and is pending to be destroyed, as in function\ntc_new_tfilter.\n\nWhen packets are enqueued through the root QFQ qdisc, the shared\nleaf_qdisc->q.qlen increases. At the same time, the second QFQ\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\nqfq_reset() with its own q->q.qlen == 0, but its class's leaf\nqdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\n\n[    0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[    0.903571] #PF: supervisor write access in kernel mode\n[    0.903860] #PF: error_code(0x0002) - not-present page\n[    0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\n[    0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\n[    0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\n[    0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[    0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\n[    0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\n\nCode starting with the faulting instruction\n===========================================\n   0:\t0f 84 4d 01 00 00    \tje     0x153\n   6:\t48 89 70 18          \tmov    %rsi,0x18(%rax)\n   a:\t8b 4b 10             \tmov    0x10(%rbx),%ecx\n   d:\t48 c7 c2 ff ff ff ff \tmov    $0xffffffffffffffff,%rdx\n  14:\t48 8b 78 08          \tmov    0x8(%rax),%rdi\n  18:\t48 d3 e2             \tshl    %cl,%rdx\n  1b:\t48 21 f2             \tand    %rsi,%rdx\n  1e:\t48 2b 13             \tsub    (%rbx),%rdx\n  21:\t48 8b 30             \tmov    (%rax),%rsi\n  24:\t48 d3 ea             \tshr    %cl,%rdx\n  27:\t8b 4b 18             \tmov    0x18(%rbx),%ecx\n\t...\n[    0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\n[    0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\n[    0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[    0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\n[    0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\n[    0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\n[    0.909179] FS:  000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\n[    0.909572] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\n[    0.910247] PKRU: 55555554\n[    0.910391] Call Trace:\n[    0.910527]  <TASK>\n[    0.910638]  qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\n[    0.910826]  qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\n[    0.911040]  __qdisc_destroy (net/sched/sch_generic.c:1076)\n[    0.911236]  tc_new_tfilter (net/sched/cls_api.c:2447)\n[    0.911447]  rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\n[    0.911663]  ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\n[    0.911894]  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n[    0.912100]  netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n[    0.912296]  ? __alloc_skb (net/core/skbuff.c:706)\n[    0.912484]  netlink_sendmsg (net/netlink/af\n---truncated---"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/sched/sch_qfq.c"
                    ],
                    "versions": [
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "6116a83ec167d3ab1390cded854d237481f41b63",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "0809c4bc06c9c961222df29f2eccfd449304056f",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "cdb24200b043438a144df501f1ebbd926bb1a2c7",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "43497313d0da3e12b5cfcd97aa17bf48ee663f95",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "51ffd447bc37bf1a5776b85523f51d2bc69977f6",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "0545a3037773512d3448557ba048cebb73b3e4af",
                            "lessThan": "c1d73b1480235731e35c81df70b08f4714a7d095",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/sched/sch_qfq.c"
                    ],
                    "versions": [
                        {
                            "version": "3.0",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "3.0",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.10.248",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "5.15.198",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "6.1.161",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "6.6.121",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "6.12.66",
                            "lessThanOrEqual": "6.12.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "6.18.6",
                            "lessThanOrEqual": "6.18.*",
                            "status": "unaffected",
                            "versionType": "semver"
                        },
                        {
                            "version": "6.19",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "cpeApplicability": [
                {
                    "nodes": [
                        {
                            "operator": "OR",
                            "negate": false,
                            "cpeMatch": [
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "5.10.248"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "5.15.198"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "6.1.161"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "6.6.121"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "6.12.66"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "6.18.6"
                                },
                                {
                                    "vulnerable": true,
                                    "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                                    "versionStartIncluding": "3.0",
                                    "versionEndExcluding": "6.19"
                                }
                            ]
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63"
                },
                {
                    "url": "https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f"
                },
                {
                    "url": "https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7"
                },
                {
                    "url": "https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb"
                },
                {
                    "url": "https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95"
                },
                {
                    "url": "https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6"
                },
                {
                    "url": "https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095"
                }
            ],
            "title": "net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset",
            "x_generator": {
                "engine": "bippy-1.2.0"
            }
        },
        "adp": [
            {
                "x_adpType": "supplier",
                "providerMetadata": {
                    "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
                    "shortName": "siemens-SADP",
                    "dateUpdated": "2026-06-02T13:00:46.449Z"
                },
                "affected": [
                    {
                        "vendor": "Siemens",
                        "product": "RUGGEDCOM RST2428P",
                        "versions": [
                            {
                                "status": "affected",
                                "version": "0",
                                "lessThan": "V4.0",
                                "versionType": "custom"
                            }
                        ],
                        "defaultStatus": "unknown"
                    }
                ],
                "references": [
                    {
                        "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
                    }
                ]
            },
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2026-22976",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2026-06-10T20:42:23.375903Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2026-06-11T18:44:22.605Z"
                }
            }
        ]
    }
}