CVE-2026-45846
Description
In the Linux kernel, the following vulnerability has been resolved:
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160) Call Trace:
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532) do_execute_actions (net/openvswitch/actions.c:901) ovs_execute_actions (net/openvswitch/actions.c:1589) ovs_packet_cmd_execute (net/openvswitch/datapath.c:700) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550)
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in bareudp_fill_metadata_dst() when the device is down allows a local attacker to crash the system.
Vulnerability
In the Linux kernel, bareudp_fill_metadata_dst() in drivers/net/bareudp.c passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is created in bareudp_open() and set to NULL in bareudp_stop(). Calling the function while the device is down triggers a NULL pointer dereference via sock->sk. This affects all kernel versions containing this bareudp driver code, prior to the fix [1][2][3][4].
Exploitation
An attacker needs local access and the ability to trigger a call to bareudp_fill_metadata_dst() while the bareudp device is down. This can be achieved, for example, by sending a packet through Open vSwitch (OVS) that matches a flow action requiring metadata destination lookup on the bareudp device when it is not open [1]. The attack does not require authentication beyond local network control, and no user interaction is needed beyond the OVS command or similar mechanism.
Impact
Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (denial of service). No remote code execution is reported, and the attacker does not gain elevated privileges or data access. The vulnerability does not allow bypassing access controls beyond causing a local DoS.
Mitigation
The fix adds a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver [1]. Patched versions are indicated by commits [1], [2], [3], and [4] in the stable kernel trees. Users should update to kernels including these commits (e.g., Linux 6.x.y stable updates). There is no workaround available without applying the patch or ensuring the bareudp device is never used while down. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10aa6c6d9ee064bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
1 file changed · +3 −1
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
a0f4e4e8e0f5bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 150049d9a81a75..b181c03368153e 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -520,6 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, &saddr, info, IPPROTO_UDP, use_cache); -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 150049d9a81a75..b181c03368153e 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -520,6 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, &saddr, info, IPPROTO_UDP, use_cache); -- cgit 1.3-korg
35a115a204bebareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index fa2dd76ba3d9e2..8d6b632371f894 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -528,6 +528,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index fa2dd76ba3d9e2..8d6b632371f894 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -528,6 +528,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
74a02921c48fbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
638905520fc4bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
1 file changed · +3 −1
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
35a115a204bebareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index fa2dd76ba3d9e2..8d6b632371f894 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -528,6 +528,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index fa2dd76ba3d9e2..8d6b632371f894 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -528,6 +528,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
638905520fc4bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
74a02921c48fbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
a0f4e4e8e0f5bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 150049d9a81a75..b181c03368153e 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -520,6 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, &saddr, info, IPPROTO_UDP, use_cache); -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 150049d9a81a75..b181c03368153e 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -520,6 +520,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, &saddr, info, IPPROTO_UDP, use_cache); -- cgit 1.3-korg
aa6c6d9ee064bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
2 files changed · +6 −2
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
drivers/net/bareudp.c+3 −1 modifieddiff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c index 0df3208783ad9e..da5866ba069995 100644 --- a/drivers/net/bareudp.c +++ b/drivers/net/bareudp.c @@ -529,6 +529,9 @@ static int bareudp_fill_metadata_dst(struct net_device *dev, struct in6_addr saddr; struct socket *sock = rcu_dereference(bareudp->sock); + if (!sock) + return -ESHUTDOWN; + dst = udp_tunnel6_dst_lookup(skb, dev, bareudp->net, sock, 0, &saddr, &info->key, sport, bareudp->port, info->key.tos, -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing NULL pointer check on bareudp->sock in the IPv6 path of bareudp_fill_metadata_dst() before passing it to udp_tunnel6_dst_lookup()."
Attack vector
An attacker can trigger a NULL pointer dereference by sending a crafted packet to Open vSwitch that causes `ovs_packet_cmd_execute()` to call `bareudp_fill_metadata_dst()` while the bareudp device is down. The socket is only created in `bareudp_open()` and set to NULL in `bareudp_stop()`, so any call to this function when the device is not open will pass a NULL `sock` to `udp_tunnel6_dst_lookup()`, which dereferences `sock->sk` and crashes the kernel [patch_id=2654151]. No authentication is required; the attacker only needs the ability to send netlink messages to OVS.
Affected code
The vulnerable function is `bareudp_fill_metadata_dst()` in `drivers/net/bareudp.c` (line 532 in the original, line 529 in some backport variants). The IPv6 code path passes `bareudp->sock` to `udp_tunnel6_dst_lookup()` without first checking whether the socket pointer is NULL [patch_id=2654151].
What the fix does
The patch adds a single NULL check on `sock` before the call to `udp_tunnel6_dst_lookup()` in the IPv6 branch of `bareudp_fill_metadata_dst()`. If `sock` is NULL, the function returns `-ESHUTDOWN` immediately, preventing the NULL pointer dereference. This approach is consistent with the existing xmit paths in the same driver, which already perform the same NULL check [patch_id=2654151].
Preconditions
- configThe bareudp network device must exist but be in the down state (i.e., bareudp_stop() has been called, setting bareudp->sock to NULL)
- networkThe attacker must be able to send netlink messages to Open vSwitch to trigger ovs_packet_cmd_execute()
- inputThe OVS flow must route a packet through the bareudp device's fill_metadata_dst path
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2nvd
- git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3dfnvd
- git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5dnvd
- git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636nvd
- git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19nvd
News mentions
0No linked articles in our index yet.