目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-53080— cls_fw: 修复在 change() 前旧过滤器的空指针解引用

AI 预测 5.5 利用难度: 中等 EPSS 0.17% · P7
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-53080 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL dereference of "old" filters before change() Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched: protect filter_chain list with filter_chain_lock mutex") TC filters are added to a shared block and published to datapath before their ->change() function is called. This is a problem for cls_fw: an invalid filter created with the "old" method can still classify some packets before it is destroyed by the validation logic added by Xiang. Therefore, insisting with repeated runs of the following script: # ip link add dev crash0 type dummy # ip link set dev crash0 up # mausezahn crash0 -c 100000 -P 10 \ > -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q & # sleep 1 # tc qdisc add dev crash0 egress_block 1 clsact # tc filter add block 1 protocol ip prio 1 matchall \ > action skbedit mark 65536 continue # tc filter add block 1 protocol ip prio 2 fw # ip link del dev crash0 can still make fw_classify() hit the WARN_ON() in [2]: WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399 Modules linked in: cls_fw(E) act_skbedit(E) CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full) Tainted: [E]=UNSIGNED_MODULE Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014 RIP: 0010:fw_classify+0x244/0x250 [cls_fw] Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202 RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004 RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40 RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0 R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000 R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000 FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0 Call Trace: <TASK> tcf_classify+0x17d/0x5c0 tc_run+0x9d/0x150 __dev_queue_xmit+0x2ab/0x14d0 ip_finish_output2+0x340/0x8f0 ip_output+0xa4/0x250 raw_sendmsg+0x147d/0x14b0 __sys_sendto+0x1cc/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x126/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fca40e822ba Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003 RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000 </TASK> irq event stamp: 1045778 hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60 hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60 softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260 softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0 Then, because of the value in the packet's mark, dereference on 'q->handle' with NULL 'q' occurs: BUG: kernel NULL pointer dereference, address: 0000000000000038 [...] RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw] [...] Skip "old-style" classification on shared blocks, so that the NULL dereference is fixed and WARN_ON() is not hit anymore in the short lifetime of invalid cls_fw "old-style" filters. [1] https://sashiko.dev/#/patchset/2 ---truncated---
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux ed76f5edccc98fa66f2337f0b3b255d6e1a568b7 ~ a719275da488835e987d28effc04679b4aace3a0 -
LinuxLinux 5.1 -

二、漏洞 CVE-2026-53080 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-53080 的情报信息

登录查看更多情报信息。

CVE-2026-53080 补丁与修复 (8)

同批安全公告 · Linux · 2026-06-24 · 共 219 条

CVE-2026-529869.8 CRITICALnetfilter nf_conntrack_sip 漏洞
CVE-2026-530469.8 CRITICALksmbd Qualcomm 加密引擎异步加密 UAF 漏洞
CVE-2026-529559.8 CRITICALlibceph crush_decode() 潜在越界访问漏洞
CVE-2026-530459.8 CRITICALTegra124 EMC dll_change 检查漏洞
CVE-2026-530499.8 CRITICALGFS2 文件系统日志锁定缺失漏洞
CVE-2026-530109.8 CRITICALksmbd 内核模块 SMB2 打开会话持久重连时存在使用之后释放漏洞
CVE-2026-530889.8 CRITICALBcmgenet 驱动 bcmgenet_put_txcb 偏移错误漏洞
CVE-2026-530069.8 CRITICALIPv6 icmpv6_rcv() 中可能的 UAF 漏洞
CVE-2026-529829.8 CRITICALRealtek RTL8150 网卡 use-after-free 漏洞
CVE-2026-530029.8 CRITICALnetfilter conntrack移除sprintf使用
CVE-2026-530869.8 CRITICALNet: BCMGenet 修复竞态超时处理漏洞
CVE-2026-529149.8 CRITICALbatman-adv 片段重组长度计算漏洞
CVE-2026-529939.8 CRITICALTIPC tipc_buf_append() 双重释放漏洞
CVE-2026-529319.8 CRITICALbatman-adv tp_meter 未初始化变量使用漏洞
CVE-2026-530559.8 CRITICALHisilicon SEC2 使用后释放漏洞
CVE-2026-529249.8 CRITICALsctp COOKIE-ECHO处理过时导致outqueue清理
CVE-2026-529899.8 CRITICALnvmet-tcp 传播 nvmet_tcp_build_pdu_iovec() 错误到调用者
CVE-2026-529999.1 CRITICALNetfilter: nfnetlink_osf 匹配选项越界读漏洞
CVE-2026-529589.1 CRITICALlibceph osdmap_decode() 越界访问漏洞
CVE-2026-530439.1 CRITICALOCFS2 DLM 队列区域数验证缺陷

显示前 20 条,共 219 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53080

暂无评论


发表评论