Skip to main content

Linux Kernel CVE-2026-52925

| EUVDEUVD-2026-38728 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-vg8w-8f3p-9p3c
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack only (AV:L); bind() callable by unprivileged user (PR:L); kernel panic is complete availability loss (A:H); no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 16:09 vuln.today
CVSS changed
Jul 08, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

vrf: Fix a potential NPD when removing a port from a VRF

RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations.

This assumption is not always correct and can result in a NPD [1]. There is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations.

Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted. In the latter case an RCU grace period will pass by the time RTNL is released.

[1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181) [...] Call Trace: <TASK> l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189) __inet_bind (net/ipv4/af_inet.c:499 (discriminator 3)) inet_bind_sk (net/ipv4/af_inet.c:469) __sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1)) __x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

AnalysisAI

NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Confirm VRF configured on target
Delivery
Gain local low-privilege access
Exploit
Monitor VRF port removal event
Install
Issue concurrent bind() syscall
C2
Race RCU reader past IFF_L3MDEV_SLAVE clear
Execute
NULL dereference in l3mdev_fib_table_rcu
Impact
Kernel panic, system crash

Vulnerability AssessmentAI

Exploitation Local system access with low-privilege credentials (CVSS PR:L) is required - remote exploitation is not possible (AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 scores this at 5.5 (Medium) with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - the local attack vector and low-privilege requirement are confirmed signals that this cannot be triggered remotely and requires an existing foothold on the target system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user on a Linux router or VRF-enabled network appliance calls bind() on a raw or UDP socket targeting a VRF-segmented interface at the precise moment a network administrator (or automation script) executes ip link set DEV nomaster to remove that interface from the VRF. The kernel's RCU reader, mid-execution in l3mdev_fib_table_rcu(), dereferences a NULL l3mdev_ops pointer from the newly assigned bridge master device, triggering a BUG: kernel NULL pointer dereference panic and crashing the system. …
Remediation Upgrade to a patched Linux kernel version: 5.10.258+, 5.15.209+, 6.1.175+, 6.6.141+, 6.12.91+, 6.18.33+, 7.0.10+, or mainline 7.1+. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy