HOMEVULNERABILITIESCVE-2026-53080
NONE

CVE-2026-53080

Published: June 24, 2026· Updated: Jun 24, 2026

EPSS:0.17%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_fw: fix NULL dereference of "old" filters before change()

Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:

protect filter_chain list with filter_chain_lock mutex") TC filters are

added to a shared block and published to datapath before their ->change()

function is called. This is a problem for cls_fw: an invalid filter

created with the "old" method can still classify some packets before it

is destroyed by the validation logic added by Xiang.

Therefore, insisting with repeated runs of the following script:

# ip link add dev crash0 type dummy

# ip link set dev crash0 up

# mausezahn crash0 -c 100000 -P 10 \

> -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &

# sleep 1

# tc qdisc add dev crash0 egress_block 1 clsact

# tc filter add block 1 protocol ip prio 1 matchall \

> action skbedit mark 65536 continue

# tc filter add block 1 protocol ip prio 2 fw

# ip link del dev crash0

can still make fw_classify() hit the WARN_ON() in [2]:

WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399

Modules linked in: cls_fw(E) act_skbedit(E)

CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)

Tainted: [E]=UNSIGNED_MODULE

Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014

RIP: 0010:fw_classify+0x244/0x250 [cls_fw]

Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90

RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202

RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004

RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40

RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0

R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000

R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000

FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0

Call Trace:

<TASK>

tcf_classify+0x17d/0x5c0

tc_run+0x9d/0x150

__dev_queue_xmit+0x2ab/0x14d0

ip_finish_output2+0x340/0x8f0

ip_output+0xa4/0x250

raw_sendmsg+0x147d/0x14b0

__sys_sendto+0x1cc/0x1f0

__x64_sys_sendto+0x24/0x30

do_syscall_64+0x126/0xf80

entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fca40e822ba

Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89

RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c

RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba

RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003

RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010

R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e

R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000

</TASK>

irq event stamp: 1045778

hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60

hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60

softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260

softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0

Then, because of the value in the packet's mark, dereference on 'q->handle'

with NULL 'q' occurs:

BUG: kernel NULL pointer dereference, address: 0000000000000038

[...]

RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]

[...]

Skip "old-style" classification on shared blocks, so that the NULL

dereference is fixed and WARN_ON() is not hit anymore in the short

lifetime of invalid cls_fw "old-style" filters.

[1] https://sashiko.dev/#/patchset/2

---truncated---

NVD Source

Technical Analysis

CVE-2026-53080 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxRed Hat
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-53080
SeverityNONE
CISA KEVNo
EPSS (30d)0.17%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53080 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.