{"id":"CVE-2026-22999","summary":"net/sched: sch_qfq: do not free existing class in qfq_change_class()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF.","modified":"2026-04-22T18:29:18.132783774Z","published":"2026-01-25T14:36:13.909Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0471-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:0474-1","SUSE-SU-2026:0475-1","SUSE-SU-2026:0495-1","SUSE-SU-2026:0496-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:1131-1","SUSE-SU-2026:1180-1","SUSE-SU-2026:1185-1","SUSE-SU-2026:1188-1","SUSE-SU-2026:1189-1","SUSE-SU-2026:1212-1","SUSE-SU-2026:1221-1","SUSE-SU-2026:1222-1","SUSE-SU-2026:1225-1","SUSE-SU-2026:1236-1","SUSE-SU-2026:1237-1","SUSE-SU-2026:1239-1","SUSE-SU-2026:1242-1","SUSE-SU-2026:1244-1","SUSE-SU-2026:1248-1","SUSE-SU-2026:1254-1","SUSE-SU-2026:1259-1","SUSE-SU-2026:1261-1","SUSE-SU-2026:1263-1","SUSE-SU-2026:1265-1","SUSE-SU-2026:1268-1","SUSE-SU-2026:1269-1","SUSE-SU-2026:1270-1","SUSE-SU-2026:1271-1","SUSE-SU-2026:1272-1","SUSE-SU-2026:1274-1","SUSE-SU-2026:1278-1","SUSE-SU-2026:1279-1","SUSE-SU-2026:1280-1","SUSE-SU-2026:1281-1","SUSE-SU-2026:1283-1","SUSE-SU-2026:1284-1","SUSE-SU-2026:1285-1","SUSE-SU-2026:1287-1","SUSE-SU-2026:1288-1","SUSE-SU-2026:1293-1","SUSE-SU-2026:1297-1","SUSE-SU-2026:1298-1","SUSE-SU-2026:1304-1","SUSE-SU-2026:1305-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:21005-1","SUSE-SU-2026:21006-1","SUSE-SU-2026:21007-1","SUSE-SU-2026:21008-1","SUSE-SU-2026:21009-1","SUSE-SU-2026:21020-1","SUSE-SU-2026:21041-1","SUSE-SU-2026:21042-1","SUSE-SU-2026:21043-1","SUSE-SU-2026:21044-1","SUSE-SU-2026:21045-1","SUSE-SU-2026:21046-1","SUSE-SU-2026:21047-1","SUSE-SU-2026:21048-1","SUSE-SU-2026:21049-1","SUSE-SU-2026:21050-1","SUSE-SU-2026:21051-1","SUSE-SU-2026:21052-1","SUSE-SU-2026:21053-1","SUSE-SU-2026:21054-1","SUSE-SU-2026:21055-1","SUSE-SU-2026:21056-1","SUSE-SU-2026:21057-1","SUSE-SU-2026:21058-1","SUSE-SU-2026:21059-1","SUSE-SU-2026:21060-1","SUSE-SU-2026:21061-1","SUSE-SU-2026:21071-1","SUSE-SU-2026:21072-1","SUSE-SU-2026:21073-1","SUSE-SU-2026:21074-1","SUSE-SU-2026:21075-1","SUSE-SU-2026:21076-1","SUSE-SU-2026:21077-1","SUSE-SU-2026:21078-1","SUSE-SU-2026:21079-1","SUSE-SU-2026:21080-1","SUSE-SU-2026:21081-1","SUSE-SU-2026:21082-1","SUSE-SU-2026:21083-1","SUSE-SU-2026:21084-1","SUSE-SU-2026:21085-1","SUSE-SU-2026:21086-1","SUSE-SU-2026:21087-1","SUSE-SU-2026:21088-1","SUSE-SU-2026:21089-1","SUSE-SU-2026:21090-1","SUSE-SU-2026:21091-1","SUSE-SU-2026:21096-1","SUSE-SU-2026:21099-1","SUSE-SU-2026:21100-1","SUSE-SU-2026:21102-1","SUSE-SU-2026:21216-1","SUSE-SU-2026:21217-1","SUSE-SU-2026:21219-1","SUSE-SU-2026:21220-1","SUSE-SU-2026:21221-1","openSUSE-SU-2026:20287-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22999.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22999.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22999"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"462dbc9101acd38e92eda93c0726857517a24bbd"},{"fixed":"2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"},{"fixed":"cff6cd703f41d8071995956142729e4bba160363"},{"fixed":"f06f7635499bc806cbe2bbc8805c7cef8b1edddf"},{"fixed":"0a234660dc70ce45d771cbc76b20d925b73ec160"},{"fixed":"362e269bb03f7076ba9990e518aeddb898232e50"},{"fixed":"e9d8f11652fa08c647bf7bba7dd8163241a332cd"},{"fixed":"3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22999.json"}}],"schema_version":"1.7.5"}