-

CVE-2026-23277

net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit

In the Linux kernel, the following vulnerability has been resolved:

net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit

teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit
through slave devices, but does not update skb->dev to the slave device
beforehand.

When a gretap tunnel is a TEQL slave, the transmit path reaches
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This
function does:

    get_cpu_ptr(dev->tstats)

Since teql_master_setup() does not set dev->pcpu_stat_type to
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes
NULL + __per_cpu_offset[cpu], resulting in a page fault.

 BUG: unable to handle page fault for address: ffff8880e6659018
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 PGD 68bc067 P4D 68bc067 PUD 0
 Oops: Oops: 0002 [#1] SMP KASAN PTI
 RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)
 Call Trace:
  <TASK>
  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)
  __gre_xmit (net/ipv4/ip_gre.c:478)
  gre_tap_xmit (net/ipv4/ip_gre.c:779)
  teql_master_xmit (net/sched/sch_teql.c:319)
  dev_hard_start_xmit (net/core/dev.c:3887)
  sch_direct_xmit (net/sched/sch_generic.c:347)
  __dev_queue_xmit (net/core/dev.c:4802)
  neigh_direct_output (net/core/neighbour.c:1660)
  ip_finish_output2 (net/ipv4/ip_output.c:237)
  __ip_finish_output.part.0 (net/ipv4/ip_output.c:315)
  ip_mc_output (net/ipv4/ip_output.c:369)
  ip_send_skb (net/ipv4/ip_output.c:1508)
  udp_send_skb (net/ipv4/udp.c:1195)
  udp_sendmsg (net/ipv4/udp.c:1485)
  inet_sendmsg (net/ipv4/af_inet.c:859)
  __sys_sendto (net/socket.c:2206)

Fix this by setting skb->dev = slave before calling
netdev_start_xmit(), so that tunnel xmit functions see the correct
slave device with properly allocated tstats.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 383493b9940e3d1b5517424081b3e072e20ec43c
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 6b1f563d670162e188a0f2aec39c24b67b106e17
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 57c153249143333bbf4ecf927bdf8aa2696ee397
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 59b06d8b9bdb6b64b3c534c18da68bce5ccd31be
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 81a43e8005366f16e629d8c95dfe05beaa8d36a7
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 0bad9c86edd22dec4df83c2b29872d66fd8a2ff4
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 21ea283c2750c8307aa35ee832b0951cc993c27d
Status affected
Version 039f50629b7f860f36644ed1f34b27da9aa62f43
Version < 0cc0c2e661af418bbf7074179ea5cfffc0a5c466
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.5
Status affected
Version 0
Version < 4.5
Status unaffected
Version <= 5.10.*
Version 5.10.253
Status unaffected
Version <= 5.15.*
Version 5.15.203
Status unaffected
Version <= 6.1.*
Version 6.1.167
Status unaffected
Version <= 6.6.*
Version 6.6.130
Status unaffected
Version <= 6.12.*
Version 6.12.78
Status unaffected
Version <= 6.18.*
Version 6.18.19
Status unaffected
Version <= 6.19.*
Version 6.19.9
Status unaffected
Version <= *
Version 7.0
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.05% 0.158
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.