{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "ed76f5edccc98fa66f2337f0b3b255d6e1a568b7"
            },
            {
              "fixed": "a719275da488835e987d28effc04679b4aace3a0"
            },
            {
              "fixed": "c205da704c84eeb4247d770150440294fd547049"
            },
            {
              "fixed": "5dcce34c57d5e5990869384d69deeb9414bf9b92"
            },
            {
              "fixed": "5df49f0579f7e625f2358a219d31fbc7621be799"
            },
            {
              "fixed": "829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c"
            },
            {
              "fixed": "41845bc5bb64f3d615abe575ad655b5e7f193634"
            },
            {
              "fixed": "4fabcfea7a9dd159df32c5df6587fe858cb0d748"
            },
            {
              "fixed": "65782b2db7321d5f97c16718c4c7f6c7205a56be"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.10.259"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.210"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.176"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.143"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.93"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.35"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53080.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL dereference of \"old\" filters before change()\n\nLike pointed out by Sashiko [1], since commit ed76f5edccc9 (\"net: sched:\nprotect filter_chain list with filter_chain_lock mutex\") TC filters are\nadded to a shared block and published to datapath before their -\u003echange()\nfunction is called. This is a problem for cls_fw: an invalid filter\ncreated with the \"old\" method can still classify some packets before it\nis destroyed by the validation logic added by Xiang.\nTherefore, insisting with repeated runs of the following script:\n\n # ip link add dev crash0 type dummy\n # ip link set dev crash0 up\n # mausezahn  crash0 -c 100000 -P 10 \\\n \u003e -A 4.3.2.1 -B 1.2.3.4 -t udp \"dp=1234\" -q \u0026\n # sleep 1\n # tc qdisc add dev crash0 egress_block 1 clsact\n # tc filter add block 1 protocol ip prio 1 matchall \\\n \u003e action skbedit mark 65536 continue\n # tc filter add block 1 protocol ip prio 2 fw\n # ip link del dev crash0\n\ncan still make fw_classify() hit the WARN_ON() in [2]:\n\n WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399\n Modules linked in: cls_fw(E) act_skbedit(E)\n CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G            E       7.0.0-rc6-virtme #17 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014\n RIP: 0010:fw_classify+0x244/0x250 [cls_fw]\n Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 \u003c0f\u003e 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90\n RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202\n RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004\n RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40\n RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0\n R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000\n R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000\n FS:  00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0\n Call Trace:\n  \u003cTASK\u003e\n  tcf_classify+0x17d/0x5c0\n  tc_run+0x9d/0x150\n  __dev_queue_xmit+0x2ab/0x14d0\n  ip_finish_output2+0x340/0x8f0\n  ip_output+0xa4/0x250\n  raw_sendmsg+0x147d/0x14b0\n  __sys_sendto+0x1cc/0x1f0\n  __x64_sys_sendto+0x24/0x30\n  do_syscall_64+0x126/0xf80\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fca40e822ba\n Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba\n RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003\n RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010\n R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e\n R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000\n  \u003c/TASK\u003e\n irq event stamp: 1045778\n hardirqs last  enabled at (1045784): [\u003cffffffff864ec042\u003e] __up_console_sem+0x52/0x60\n hardirqs last disabled at (1045789): [\u003cffffffff864ec027\u003e] __up_console_sem+0x37/0x60\n softirqs last  enabled at (1045426): [\u003cffffffff874d48c7\u003e] __alloc_skb+0x207/0x260\n softirqs last disabled at (1045434): [\u003cffffffff874fe8f8\u003e] __dev_queue_xmit+0x78/0x14d0\n\nThen, because of the value in the packet's mark, dereference on 'q-\u003ehandle'\nwith NULL 'q' occurs:\n\n BUG: kernel NULL  pointer dereference, address: 0000000000000038\n [...]\n RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]\n [...]\n\nSkip \"old-style\" classification on shared blocks, so that the NULL\ndereference is fixed and WARN_ON() is not hit anymore in the short\nlifetime of invalid cls_fw \"old-style\" filters.\n\n[1] https://sashiko.dev/#/patchset/2\n---truncated---",
  "id": "CVE-2026-53080",
  "modified": "2026-07-15T01:48:49.768473187Z",
  "published": "2026-06-24T16:30:21.172Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41845bc5bb64f3d615abe575ad655b5e7f193634"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4fabcfea7a9dd159df32c5df6587fe858cb0d748"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5dcce34c57d5e5990869384d69deeb9414bf9b92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5df49f0579f7e625f2358a219d31fbc7621be799"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65782b2db7321d5f97c16718c4c7f6c7205a56be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/829808cbf8cf8a6d07a0e67a5ea2c3fcd63a9e5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a719275da488835e987d28effc04679b4aace3a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c205da704c84eeb4247d770150440294fd547049"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53080.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53080"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()"
}