CVE-2026-22999
Published: 25 January 2026
Summary
CVE-2026-22999 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-22999 is a use-after-free (UAF) vulnerability in the Linux kernel's network scheduler, specifically the Quick Fair Queueing (QFQ) classful qdisc implementation in the sch_qfq module. The issue arises in the qfq_change_class() function, where error handling paths incorrectly free the existing class (cl) and its associated qdisc (cl->qdisc) even if no new class or qdisc was allocated, leading to potential UAF conditions. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the faulty error path in qfq_change_class(), such as through manipulation of network scheduling classes via tc (traffic control) commands. Successful exploitation could result in high-impact consequences, including arbitrary code execution in kernel context, data corruption, or system denial of service due to the UAF enabling memory corruption.
The vulnerability has been addressed in multiple Linux kernel stable releases via patches linked in the references, such as commits 0a234660dc70ce45d771cbc76b20d925b73ec160, 2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e, 362e269bb03f7076ba9990e518aeddb898232e50, 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78, and cff6cd703f41d8071995956142729e4bba160363. These patches ensure that cl->qdisc and cl are freed only if new allocations occurred, preventing the UAF. Security practitioners should update affected Linux kernels to versions incorporating these fixes and audit systems using sch_qfq for exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4624
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we…
more
risk various UAF.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in sch_qfq directly enables privilege escalation via crafted tc commands leading to arbitrary kernel code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the Linux kernel to fix the UAF in sch_qfq_change_class(), eliminating the vulnerability.
Vulnerability scanning detects Linux kernel versions susceptible to CVE-2026-22999, enabling remediation.
Kernel memory protections like KASLR and SMEP hinder exploitation of the sch_qfq UAF for code execution or corruption.