CVE-2026-23439

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n<br /> <br /> When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0<br /> (success) without actually creating a socket. Callers such as<br /> fou_create() then proceed to dereference the uninitialized socket<br /> pointer, resulting in a NULL pointer dereference.<br /> <br /> The captured NULL deref crash:<br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)<br /> [...]<br /> Call Trace:<br /> <br /> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)<br /> genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)<br /> [...]<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> genl_rcv (net/netlink/genetlink.c:1219)<br /> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1894)<br /> __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))<br /> __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))<br /> __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)<br /> <br /> This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so<br /> callers correctly take their error paths. There is only one caller of<br /> the vulnerable function and only privileged users can trigger it.