CVE-2026-43086

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipvs: fix NULL deref in ip_vs_add_service error path<br /> <br /> When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local<br /> variable sched is set to NULL. If ip_vs_start_estimator() subsequently<br /> fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)<br /> with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL<br /> check (because svc-&gt;scheduler was set by the successful bind) but then<br /> dereferences the NULL sched parameter at sched-&gt;done_service, causing a<br /> kernel panic at offset 0x30 from NULL.<br /> <br /> Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)<br /> Call Trace:<br /> <br /> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)<br /> do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)<br /> nf_setsockopt (net/netfilter/nf_sockopt.c:102)<br /> [..]<br /> <br /> Fix by simply not clearing the local sched variable after a successful<br /> bind. ip_vs_unbind_scheduler() already detects whether a scheduler is<br /> installed via svc-&gt;scheduler, and keeping sched non-NULL ensures the<br /> error path passes the correct pointer to both ip_vs_unbind_scheduler()<br /> and ip_vs_scheduler_put().<br /> <br /> While the bug is older, the problem popups in more recent kernels (6.2),<br /> when the new error path is taken after the ip_vs_start_estimator() call.