CVE-2026-23277
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
20/03/2026
Last modified:
18/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit<br />
<br />
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit<br />
through slave devices, but does not update skb->dev to the slave device<br />
beforehand.<br />
<br />
When a gretap tunnel is a TEQL slave, the transmit path reaches<br />
iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0<br />
master) and later calls iptunnel_xmit_stats(dev, pkt_len). This<br />
function does:<br />
<br />
get_cpu_ptr(dev->tstats)<br />
<br />
Since teql_master_setup() does not set dev->pcpu_stat_type to<br />
NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats<br />
for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes<br />
NULL + __per_cpu_offset[cpu], resulting in a page fault.<br />
<br />
BUG: unable to handle page fault for address: ffff8880e6659018<br />
#PF: supervisor write access in kernel mode<br />
#PF: error_code(0x0002) - not-present page<br />
PGD 68bc067 P4D 68bc067 PUD 0<br />
Oops: Oops: 0002 [#1] SMP KASAN PTI<br />
RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)<br />
Call Trace:<br />
<br />
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)<br />
__gre_xmit (net/ipv4/ip_gre.c:478)<br />
gre_tap_xmit (net/ipv4/ip_gre.c:779)<br />
teql_master_xmit (net/sched/sch_teql.c:319)<br />
dev_hard_start_xmit (net/core/dev.c:3887)<br />
sch_direct_xmit (net/sched/sch_generic.c:347)<br />
__dev_queue_xmit (net/core/dev.c:4802)<br />
neigh_direct_output (net/core/neighbour.c:1660)<br />
ip_finish_output2 (net/ipv4/ip_output.c:237)<br />
__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)<br />
ip_mc_output (net/ipv4/ip_output.c:369)<br />
ip_send_skb (net/ipv4/ip_output.c:1508)<br />
udp_send_skb (net/ipv4/udp.c:1195)<br />
udp_sendmsg (net/ipv4/udp.c:1485)<br />
inet_sendmsg (net/ipv4/af_inet.c:859)<br />
__sys_sendto (net/socket.c:2206)<br />
<br />
Fix this by setting skb->dev = slave before calling<br />
netdev_start_xmit(), so that tunnel xmit functions see the correct<br />
slave device with properly allocated tstats.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4
- https://git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466
- https://git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27d
- https://git.kernel.org/stable/c/383493b9940e3d1b5517424081b3e072e20ec43c
- https://git.kernel.org/stable/c/57c153249143333bbf4ecf927bdf8aa2696ee397
- https://git.kernel.org/stable/c/59b06d8b9bdb6b64b3c534c18da68bce5ccd31be
- https://git.kernel.org/stable/c/6b1f563d670162e188a0f2aec39c24b67b106e17
- https://git.kernel.org/stable/c/81a43e8005366f16e629d8c95dfe05beaa8d36a7