CVE-2026-23439
Description
In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it.
CVSS Details
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Threat Intelligence
Weaknesses 1
Affected Products 15
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥3.18.1 – <5.10.253 |
| linux | linux_kernel | * | ≥5.11 – <5.15.203 |
| linux | linux_kernel | * | ≥5.16 – <6.1.167 |
| linux | linux_kernel | * | ≥6.2 – <6.6.130 |
| linux | linux_kernel | * | ≥6.7 – <6.12.78 |
| linux | linux_kernel | * | ≥6.13 – <6.18.20 |
| linux | linux_kernel | * | ≥6.19 – <6.19.10 |
| linux | linux_kernel | 3.18 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
References 8
- git.kernel.org https://git.kernel.org/stable/c/003343985f26dfefd0c94b1fe1316a2de74428b9
- git.kernel.org https://git.kernel.org/stable/c/12aa4b73a67d95bc739995a2d6943aec2f9785c9
- git.kernel.org https://git.kernel.org/stable/c/66117dbb3dbae82f86735bf727b1d59cc677afa1
- git.kernel.org https://git.kernel.org/stable/c/9f036aa0fe46c19e938f03d10e02c23f4fffae5e
- git.kernel.org https://git.kernel.org/stable/c/a05a2149386f6dfb4245f522acdbef892acafc84
- git.kernel.org https://git.kernel.org/stable/c/b3a6df291fecf5f8a308953b65ca72b7fc9e015d
- git.kernel.org https://git.kernel.org/stable/c/ba7c9ddcdd077942b798979edb035207374d4096
- git.kernel.org https://git.kernel.org/stable/c/dfc96ae0074cc47b5478a59e5aa19233e434243f
Remediation
- git.kernel.org https://git.kernel.org/stable/c/003343985f26dfefd0c94b1fe1316a2de74428b9
- git.kernel.org https://git.kernel.org/stable/c/12aa4b73a67d95bc739995a2d6943aec2f9785c9
- git.kernel.org https://git.kernel.org/stable/c/66117dbb3dbae82f86735bf727b1d59cc677afa1
- git.kernel.org https://git.kernel.org/stable/c/9f036aa0fe46c19e938f03d10e02c23f4fffae5e
- git.kernel.org https://git.kernel.org/stable/c/a05a2149386f6dfb4245f522acdbef892acafc84
- git.kernel.org https://git.kernel.org/stable/c/b3a6df291fecf5f8a308953b65ca72b7fc9e015d
- git.kernel.org https://git.kernel.org/stable/c/ba7c9ddcdd077942b798979edb035207374d4096
- git.kernel.org https://git.kernel.org/stable/c/dfc96ae0074cc47b5478a59e5aa19233e434243f