Updated: 2026-02-08 03:35:08.07776
Description:
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_fq: fix integer overflow of "credit" if sch_fq is configured with "initial quantum" having values greater than INT_MAX, the first assignment of "credit" does signed integer overflow to a very negative value. In this situation, the syzkaller script provided by Cristoph triggers the CPU soft-lockup warning even with few sockets. It's not an infinite loop, but "credit" wasn't probably meant to be minus 2Gb for each new flow. Capping "initial quantum" to INT_MAX proved to fix the issue. v2: validation of "initial quantum" is done in fq_policy, instead of open coding in fq_change() _ suggested by Jakub Kicinski
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 5.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 5.5 | MEDIUM | Ignored | 2025-10-26 15:40:20 | Low priority: The flaw is only reachable when the fq (sch_fq) queuing discipline is explicitly confi... | |
| CentOS 8.4 ELS | kernel | 4.18.0 | 5.5 | MEDIUM | Ignored | 2025-10-26 15:40:21 | Ignored due to low severity | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 5.5 | MEDIUM | Ignored | 2025-10-26 15:40:22 | Ignored due to low severity | |
| Ubuntu 16.04 ELS | linux-hwe | 4.15.0 | 5.5 | MEDIUM | Needs Triage | 2026-02-09 20:05:28 | This is a local-only availability bug in the sch_fq queuing discipline that is only triggerable by r... | |
| Ubuntu 16.04 ELS | linux | 4.4.0 | 5.5 | MEDIUM | Needs Triage | 2026-02-09 20:05:13 | This is a local-only availability bug in the sch_fq queuing discipline that is only triggerable by r... | |
| Ubuntu 18.04 ELS | linux | 4.15.0 | 5.5 | MEDIUM | Needs Triage | 2026-02-09 20:05:14 | This is a local-only availability bug in the sch_fq queuing discipline that is only triggerable by r... |