CVE-2026-23277
Undergoing Analysis Undergoing Analysis - In Progress
NULL Pointer Dereference in Linux Kernel TEQL Network Scheduler

Publication date: 2026-03-20

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23277
EUVD
EUVD-2026-13613
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 4.5 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduling code related to TEQL (True Link Equalizer) devices. Specifically, the function teql_master_xmit() transmits packets through slave devices but fails to update the packet's device pointer (skb->dev) to the slave device before transmission.

When a gretap tunnel is used as a TEQL slave, the transmit path calls iptunnel_xmit(), which saves the device pointer from skb->dev. Because skb->dev still points to the TEQL master device (teql0) instead of the slave, the function iptunnel_xmit_stats() tries to access statistics data (tstats) that were never allocated for the master device. This results in a NULL pointer dereference and a kernel page fault, causing a crash.

The fix involves setting skb->dev to the correct slave device before transmission, ensuring that the tunnel transmit functions access the proper device statistics and avoid the NULL pointer dereference.

Impact Analysis

This vulnerability can cause a kernel crash (page fault) when transmitting packets through a TEQL slave device configured as a gretap tunnel. Such crashes can lead to denial of service (DoS) conditions on affected systems, disrupting network communication and potentially requiring a system reboot to recover.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed by ensuring that skb->dev is set to the slave device before calling netdev_start_xmit(). This prevents the NULL pointer dereference in iptunnel_xmit on TEQL slave transmit.

Immediate mitigation steps include updating the Linux kernel to a version where this fix is applied (post 2026-03-20) to avoid the page fault caused by the NULL pointer dereference.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart