CVE-2026-45846

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()<br /> <br /> bareudp_fill_metadata_dst() passes bareudp-&gt;sock to<br /> udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.<br /> The socket is only created in bareudp_open() and NULLed in<br /> bareudp_stop(), so calling this function while the device is down<br /> triggers a NULL dereference via sock-&gt;sk.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)<br /> Call Trace:<br /> <br /> bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)<br /> do_execute_actions (net/openvswitch/actions.c:901)<br /> ovs_execute_actions (net/openvswitch/actions.c:1589)<br /> ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)<br /> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)<br /> genl_rcv_msg (net/netlink/genetlink.c:1209)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> <br /> <br /> Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths<br /> in the same driver.