CVE-2026-23286

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: lec: fix null-ptr-deref in lec_arp_clear_vccs<br /> <br /> syzkaller reported a null-ptr-deref in lec_arp_clear_vccs().<br /> This issue can be easily reproduced using the syzkaller reproducer.<br /> <br /> In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by<br /> multiple lec_arp_table entries (e.g., via entry-&gt;vcc or entry-&gt;recv_vcc).<br /> When the underlying VCC is closed, lec_vcc_close() iterates over all<br /> ARP entries and calls lec_arp_clear_vccs() for each matched entry.<br /> <br /> For example, when lec_vcc_close() iterates through the hlists in<br /> priv-&gt;lec_arp_empty_ones or other ARP tables:<br /> <br /> 1. In the first iteration, for the first matched ARP entry sharing the VCC,<br /> lec_arp_clear_vccs() frees the associated vpriv (which is vcc-&gt;user_back)<br /> and sets vcc-&gt;user_back to NULL.<br /> 2. In the second iteration, for the next matched ARP entry sharing the same<br /> VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from<br /> vcc-&gt;user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it<br /> via `vcc-&gt;pop = vpriv-&gt;old_pop`, leading to a null-ptr-deref crash.<br /> <br /> Fix this by adding a null check for vpriv before dereferencing<br /> it. If vpriv is already NULL, it means the VCC has been cleared<br /> by a previous call, so we can safely skip the cleanup and just<br /> clear the entry&amp;#39;s vcc/recv_vcc pointers.<br /> <br /> The entire cleanup block (including vcc_release_async()) is placed inside<br /> the vpriv guard because a NULL vpriv indicates the VCC has already been<br /> fully released by a prior iteration — repeating the teardown would<br /> redundantly set flags and trigger callbacks on an already-closing socket.<br /> <br /> The Fixes tag points to the initial commit because the entry-&gt;vcc path has<br /> been vulnerable since the original code. The entry-&gt;recv_vcc path was later<br /> added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc-&gt;user_back")<br /> with the same pattern, and both paths are fixed here.