HOMEVULNERABILITIESCVE-2026-45845
NONE

CVE-2026-45845

Published: May 27, 2026· Updated: May 27, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix NULL pointer dereference in class dump

When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()

is called with new == NULL and stores NULL into q->qdiscs[cl - 1].

Subsequent RTM_GETTCLASS dump operations walk all classes via

taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()

returning the NULL pointer, then dereferences it to read child->handle,

causing a kernel NULL pointer dereference.

The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel

with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user

namespaces enabled, an unprivileged local user can trigger a kernel

panic by creating a taprio qdisc inside a new network namespace,

grafting an explicit child qdisc, deleting it, and requesting a class

dump. The RTM_GETTCLASS dump itself requires no capability.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI

KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]

RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)

Call Trace:

<TASK>

tc_fill_tclass (net/sched/sch_api.c:1966)

qdisc_class_dump (net/sched/sch_api.c:2326)

taprio_walk (net/sched/sch_taprio.c:2514)

tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)

tc_dump_tclass_root (net/sched/sch_api.c:2370)

tc_dump_tclass (net/sched/sch_api.c:2431)

rtnl_dumpit (net/core/rtnetlink.c:6864)

netlink_dump (net/netlink/af_netlink.c:2325)

rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)

netlink_rcv_skb (net/netlink/af_netlink.c:2550)

</TASK>

Fix this by substituting &noop_qdisc when new is NULL in

taprio_graft(), a common pattern used by other qdiscs (e.g.,

multiq_graft()) to ensure the q->qdiscs[] slots are never NULL.

This makes control-plane dump paths safe without requiring individual

NULL checks.

Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)

previously had explicit NULL guards that would drop/skip the packet

cleanly, update those checks to test for &noop_qdisc instead. Without

this, packets would reach taprio_enqueue_one() which increments the root

qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc

drops the packet but those counters are never rolled back, permanently

inflating the root qdisc's statistics.

After this change *old can be a valid qdisc, NULL, or &noop_qdisc.

Only call qdisc_put(*old) in the first case to avoid decreasing

noop_qdisc's refcount, which was never increased.

NVD Source

Technical Analysis

CVE-2026-45845 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxCanonical
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-45845
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45845 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.