Login Sign Up

CVE-2026-22976

5.5 MEDIUM
Denial of Service

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's QFQ (Quick Fair Queueing) scheduler allows local attackers to cause a kernel panic and system crash. This affects systems using QFQ queuing discipline with specific network configuration scenarios. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions with QFQ scheduler support, specifically vulnerable versions before the fix commits
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when QFQ queuing discipline is configured and in use. Requires specific network configuration with multiple QFQ qdiscs sharing leaf qdiscs.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to complete system crash and denial of service, potentially causing data loss or service disruption.

🟠

Likely Case

Local denial of service through kernel panic, requiring system reboot to recover.

🟢

If Mitigated

No impact if QFQ scheduler is not in use or proper access controls prevent local users from manipulating network queuing.

🌐 Internet-Facing: LOW - Requires local access to trigger, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users or processes with appropriate privileges can cause system crashes.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to manipulate network queuing via tc commands. The exploit trace shows a local process triggering the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 0809c4bc06c9c961222df29f2eccfd449304056f, 11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb, 43497313d0da3e12b5cfcd97aa17bf48ee663f95, 51ffd447bc37bf1a5776b85523f51d2bc69977f6, 6116a83ec167d3ab1390cded854d237481f41b63

Vendor Advisory: https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify QFQ functionality if required for network configuration.

🔧 Temporary Workarounds

Disable QFQ scheduler

linux

Remove or disable QFQ queuing discipline from network interfaces

tc qdisc del dev <interface> root
tc qdisc replace dev <interface> root pfifo_fast

Restrict tc command access

linux

Limit which users can manipulate traffic control settings

chmod 750 /sbin/tc
setcap -r /sbin/tc
configure sudoers to restrict tc command usage

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from running tc commands
  • Monitor for kernel panic events and implement high availability/failover for critical systems

🔍 How to Verify

Check if Vulnerable:

Check if QFQ is configured: tc qdisc show | grep qfq. Check kernel version against affected range.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits: grep -r 'qfq_reset' /proc/kallsyms. Test tc qdisc operations with QFQ configuration.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages mentioning qfq_deactivate_agg
  • NULL pointer dereference errors in kernel logs
  • System crash/reboot events

Network Indicators:

  • Sudden loss of network connectivity on interfaces using QFQ

SIEM Query:

source="kernel" AND ("qfq_deactivate_agg" OR "NULL pointer dereference" OR "Oops: 0002")

📊 Metadata

CVE ID: CVE-2026-22976
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.03% exploit probability (8.9th percentile)
Published: January 21, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22976, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)