CVE-2026-22999

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-22999
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22999.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-22999
Downstream
Related
Published
2026-01-25T14:36:13.909Z
Modified
2026-03-20T12:47:19.107691Z
Summary
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: schqfq: do not free existing class in qfqchange_class()

Fixes qfqchangeclass() error case.

cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22999.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
462dbc9101acd38e92eda93c0726857517a24bbd
Fixed
2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e
Fixed
cff6cd703f41d8071995956142729e4bba160363
Fixed
f06f7635499bc806cbe2bbc8805c7cef8b1edddf
Fixed
0a234660dc70ce45d771cbc76b20d925b73ec160
Fixed
362e269bb03f7076ba9990e518aeddb898232e50
Fixed
e9d8f11652fa08c647bf7bba7dd8163241a332cd
Fixed
3879cffd9d07aa0377c4b8835c4f64b4fb24ac78

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22999.json"