Cyber Resilience

CVE-2026-22999

High

Published: 25 January 2026

Published
25 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22999 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-22999 is a use-after-free (UAF) vulnerability in the Linux kernel's network scheduler, specifically the Quick Fair Queueing (QFQ) classful qdisc implementation in the sch_qfq module. The issue arises in the qfq_change_class() function, where error handling paths incorrectly free the existing class (cl) and its associated qdisc (cl->qdisc) even if no new class or qdisc was allocated, leading to potential UAF conditions. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the faulty error path in qfq_change_class(), such as through manipulation of network scheduling classes via tc (traffic control) commands. Successful exploitation could result in high-impact consequences, including arbitrary code execution in kernel context, data corruption, or system denial of service due to the UAF enabling memory corruption.

The vulnerability has been addressed in multiple Linux kernel stable releases via patches linked in the references, such as commits 0a234660dc70ce45d771cbc76b20d925b73ec160, 2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e, 362e269bb03f7076ba9990e518aeddb898232e50, 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78, and cff6cd703f41d8071995956142729e4bba160363. These patches ensure that cl->qdisc and cl are freed only if new allocations occurred, preventing the UAF. Security practitioners should update affected Linux kernels to versions incorporating these fixes and audit systems using sch_qfq for exposure.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we…

more

risk various UAF.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in sch_qfq directly enables privilege escalation via crafted tc commands leading to arbitrary kernel code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 3.8 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the Linux kernel to fix the UAF in sch_qfq_change_class(), eliminating the vulnerability.

detect

Vulnerability scanning detects Linux kernel versions susceptible to CVE-2026-22999, enabling remediation.

prevent

Kernel memory protections like KASLR and SMEP hinder exploitation of the sch_qfq UAF for code execution or corruption.

References