VYPR
← All advisories
Unrated severityNVD Advisory· Published May 6, 2026· Updated May 6, 2026

CVE-2026-43086

CVE-2026-43086

Description

In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix NULL deref in ip_vs_add_service error path

When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL.

Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace:

ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..]

Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put().

While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null-pointer dereference in the Linux kernel's IPVS subsystem can cause a kernel panic when adding a service fails after a successful scheduler bind.

Vulnerability

Overview

In the Linux kernel's IPVS (IP Virtual Server) subsystem, a null-pointer dereference vulnerability exists in the error path of the ip_vs_add_service() function. When ip_vs_bind_scheduler() succeeds, the local variable sched is set to NULL. If a subsequent call to ip_vs_start_estimator() fails, the error cleanup path invokes ip_vs_unbind_scheduler(svc, sched) with sched equal to NULL. Although ip_vs_unbind_scheduler() checks if svc->scheduler is non-NULL (which it is, because the bind succeeded), it then dereferences the NULL sched parameter at sched->done_service, leading to a kernel panic at offset 0x30 from NULL [1].

Exploitation and

Impact

An attacker with the ability to trigger the specific error path in ip_vs_add_service() can cause a denial-of-service (DoS) condition by crashing the kernel. The vulnerability is reachable through the do_ip_vs_set_ vs_set_ctl() function, which is invoked via nf_setsockopt() when configuring IPVS rules. The bug manifests in kernels 6.2 and later, where the error path after ip_vs_start_ vs_start_estimator() failure was introduced [1]. No authentication is required to trigger the issue if the attacker can send crafted IPVS configuration requests, making it a local or potentially remote DoS vector depending on system configuration.

Mitigation

The fix, committed to the Linux kernel stable tree, simply avoids clearing the local sched variable after a successful bind. This ensures that the error path passes the correct scheduler pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). The patch is available in multiple stable kernel commits [1][2][3][4]. Users should apply the latest kernel updates from their distribution or compile a patched kernel to remediate the issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.