{ "threat_severity" : "Low", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: net/sched: ets: fix divide by zero in the offload path", "id" : "2451247", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451247" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-190", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: ets: fix divide by zero in the offload path\nOffloading ETS requires computing each class' WRR weight: this is done by\naveraging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned\nint, the same integer size as the individual DRR quanta, can overflow and\neven cause division by zero, like it happened in the following splat:\nOops: divide error: 0000 [#1] SMP PTI\nCPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)\nTainted: [E]=UNSIGNED_MODULE\nHardware name: Bochs Bochs, BIOS Bochs 01/01/2011\nRIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\nCode: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\nRSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\nRAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\nRBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\nR10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\nR13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\nFS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\nCall Trace:\n\nets_qdisc_change+0x870/0xf40 [sch_ets]\nqdisc_create+0x12b/0x540\ntc_modify_qdisc+0x6d7/0xbd0\nrtnetlink_rcv_msg+0x168/0x6b0\nnetlink_rcv_skb+0x5c/0x110\nnetlink_unicast+0x1d6/0x2b0\nnetlink_sendmsg+0x22e/0x470\n____sys_sendmsg+0x38a/0x3c0\n___sys_sendmsg+0x99/0xe0\n__sys_sendmsg+0x8a/0xf0\ndo_syscall_64+0x111/0xf80\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f440b81c77e\nCode: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\nRSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e\nRDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003\nRBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8\nR13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980\n\nModules linked in: sch_ets(E) netdevsim(E)\n---[ end trace 0000000000000000 ]---\nRIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\nCode: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\nRSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\nRAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\nRBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\nR10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\nR13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\nFS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\nFix this using 64-bit integers for 'q_sum' and 'q_psum'.", "A flaw was found in the Linux kernel's `net/sched: ets` module. A local user can exploit an integer overflow vulnerability when the system calculates weighted round-robin (WRR) weights for network traffic. This overflow can lead to a divide-by-zero error, causing the kernel to panic and resulting in a Denial of Service (DoS) for the affected system." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23379\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23379\nhttps://lore.kernel.org/linux-cve-announce/2026032542-CVE-2026-23379-3b2d@gregkh/T" ], "name" : "CVE-2026-23379", "csaw" : false }