CVE-2026-23277
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace:
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a NULL pointer dereference in iptunnel_xmit occurs when a gretap tunnel is a TEQL slave because skb->dev is not updated before transmission, leading to a page fault.
Vulnerability
Overview
CVE-2026-23277 is a NULL pointer dereference vulnerability in the Linux kernel's net/sched/teql (trivial link equalizer) queuing discipline. The root cause is in teql_master_xmit(), which calls netdev_start_xmit(skb, slave) to transmit a packet through a slave device but fails to update skb->dev to point to that slave beforehand [1]. When a gretap tunnel is configured as a TEQL slave, the transmit path reaches iptunnel_xmit(), which saves dev = skb->dev (still pointing to the teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function accesses dev->tstats via get_cpu_ptr(dev->tstats). Because teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. The call get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault [1].
Exploitation
An attacker can trigger this vulnerability by sending network traffic through a system that has a gretap tunnel configured as a slave of a TEQL master device. No special privileges beyond the ability to send network access required to reach the affected configuration are needed; the bug is triggered during normal packet transmission. The crash manifests as a kernel oops with a page fault at an address derived from a NULL pointer plus a per-CPU offset, as shown in the kernel trace [1].
Impact
Successful exploitation causes a denial of service (system crash or kernel panic) due to the NULL pointer dereference. The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available information; it is a straightforward NULL pointer dereference leading to a page fault [1].
Mitigation
The fix has been applied in the Linux kernel stable tree. The commit updates skb->dev to the slave device before calling netdev_start_xmit(), ensuring that tunnel xmit functions see the correct slave device with properly allocated tstats [1]. Users should apply the latest kernel updates from their distribution to remediate this issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4nvd
- git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466nvd
- git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27dnvd
- git.kernel.org/stable/c/383493b9940e3d1b5517424081b3e072e20ec43cnvd
- git.kernel.org/stable/c/57c153249143333bbf4ecf927bdf8aa2696ee397nvd
- git.kernel.org/stable/c/59b06d8b9bdb6b64b3c534c18da68bce5ccd31benvd
- git.kernel.org/stable/c/6b1f563d670162e188a0f2aec39c24b67b106e17nvd
- git.kernel.org/stable/c/81a43e8005366f16e629d8c95dfe05beaa8d36a7nvd
News mentions
0No linked articles in our index yet.