CVE-2026-31423 Overview
A divide-by-zero vulnerability has been identified in the Linux kernel's Hierarchical Fair Service Curve (HFSC) packet scheduler (sch_hfsc). The flaw exists in the rtsc_min() function where an integer truncation issue can lead to a kernel oops when processing network traffic through the HFSC scheduler.
The m2sm() function converts a u32 slope value to a u64 scaled value. When large inputs are provided (e.g., m1=4000000000), the result can reach 2^32. The rtsc_min() function stores the difference of two such u64 values in a u32 variable called dsm and uses it as a divisor. When the difference is exactly 2^32, the truncation to u32 yields zero, causing a divide-by-zero oops in the concave-curve intersection path.
Critical Impact
Local denial of service through kernel oops when triggering the divide-by-zero condition in the HFSC packet scheduler.
Affected Products
- Linux kernel with HFSC packet scheduler enabled
- Systems using sch_hfsc for network traffic shaping
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-31423 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-31423
Vulnerability Analysis
This vulnerability represents a Denial of Service condition caused by an Integer Overflow leading to a divide-by-zero error. The issue occurs within the network scheduler subsystem of the Linux kernel, specifically in the HFSC (Hierarchical Fair Service Curve) implementation located in net/sched/sch_hfsc.c.
The vulnerability is triggered during packet enqueue operations when the HFSC scheduler calculates service curve intersections. The kernel crash occurs in the rtsc_min() function at line 601, which is called from init_ed() (line 629) during the hfsc_enqueue() operation (line 1569).
The core issue is a numeric truncation error where a 64-bit difference value is stored in a 32-bit variable before being used as a divisor. This creates a scenario where mathematically valid non-zero differences become zero after truncation, leading to division by zero.
Root Cause
The root cause is improper handling of integer types in the rtsc_min() function. The variable dsm is declared as u32 (32-bit unsigned integer) but is used to store the difference between two u64 (64-bit) scaled values. When the m2sm() function processes large slope values like 4000000000, it can produce results that reach exactly 2^32. The difference between such values, when truncated from 64 bits to 32 bits, wraps to zero due to integer overflow, which is then used as a divisor in subsequent calculations.
Attack Vector
An attacker with local access or the ability to configure network traffic control settings could trigger this vulnerability by:
- Configuring the HFSC scheduler with carefully crafted service curve parameters
- Using large slope values (m1) that cause m2sm() to produce values near 2^32
- Creating traffic conditions that force the scheduler to calculate service curve intersections via rtsc_min()
- The resulting divide-by-zero causes a kernel oops, leading to system instability or denial of service
The attack requires the ability to configure network QoS settings or traffic control rules, which typically requires elevated privileges or specific network administrator capabilities.
Detection Methods for CVE-2026-31423
Indicators of Compromise
- Kernel oops messages referencing rtsc_min at net/sched/sch_hfsc.c:601
- System crashes or kernel panics when HFSC scheduler is active
- Divide error exceptions logged in kernel messages with RIP pointing to rtsc_min
- Call traces showing init_ed and hfsc_enqueue in the stack
Detection Strategies
- Monitor kernel logs for "Oops: divide error: 0000" messages with HFSC-related stack traces
- Implement kernel crash dump analysis to identify divide-by-zero in sch_hfsc.c
- Use system monitoring tools to detect unexpected kernel oops events on systems using HFSC scheduling
- Review traffic control configurations for unusually large service curve slope values
Monitoring Recommendations
- Enable kernel crash reporting mechanisms (kdump, netconsole) for post-incident analysis
- Monitor system stability metrics on hosts using HFSC traffic shaping
- Alert on kernel oops events, particularly those referencing network scheduler functions
- Track tc command usage that configures HFSC qdiscs with large parameter values
How to Mitigate CVE-2026-31423
Immediate Actions Required
- Apply the kernel patches from the stable kernel tree addressing this vulnerability
- Consider temporarily switching to alternative packet schedulers (HTB, CBQ) if patching is not immediately possible
- Restrict access to traffic control configuration to prevent unauthorized modification of HFSC parameters
- Monitor affected systems for stability issues until patches are applied
Patch Information
The fix widens the dsm variable from u32 to u64 and replaces do_div() with div64_u64() to ensure the full 64-bit difference is preserved during division operations. Multiple kernel stable branches have received patches:
- Linux Kernel Commit 17c1b98
- Linux Kernel Commit 25b6821
- Linux Kernel Commit 4576100
- Linux Kernel Commit b9e6431
- Linux Kernel Commit c56f786
- Linux Kernel Commit d0aefec
Workarounds
- Avoid using the HFSC scheduler (sch_hfsc) until patches are applied; use HTB or other schedulers as alternatives
- Limit access to tc (traffic control) commands to trusted administrators only
- Avoid configuring HFSC service curves with extremely large slope values (m1 approaching 4 billion)
- Monitor systems using HFSC for unexpected crashes and be prepared to disable the scheduler if issues occur
# Check if HFSC scheduler is in use
tc qdisc show | grep hfsc
# Replace HFSC with HTB scheduler (example workaround)
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: htb default 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
