Skip to main content

Linux EUVDEUVD-2026-15212

| CVE-2026-23286 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15212
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

atm: lec: fix null-ptr-deref in lec_arp_clear_vccs

syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer.

In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc). When the underlying VCC is closed, lec_vcc_close() iterates over all ARP entries and calls lec_arp_clear_vccs() for each matched entry.

For example, when lec_vcc_close() iterates through the hlists in priv->lec_arp_empty_ones or other ARP tables:

  1. In the first iteration, for the first matched ARP entry sharing the VCC,

lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back) and sets vcc->user_back to NULL.

  1. In the second iteration, for the next matched ARP entry sharing the same

VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from vcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it via vcc->pop = vpriv->old_pop, leading to a null-ptr-deref crash.

Fix this by adding a null check for vpriv before dereferencing it. If vpriv is already NULL, it means the VCC has been cleared by a previous call, so we can safely skip the cleanup and just clear the entry's vcc/recv_vcc pointers.

The entire cleanup block (including vcc_release_async()) is placed inside the vpriv guard because a NULL vpriv indicates the VCC has already been fully released by a prior iteration - repeating the teardown would redundantly set flags and trigger callbacks on an already-closing socket.

The Fixes tag points to the initial commit because the entry->vcc path has been vulnerable since the original code. The entry->recv_vcc path was later added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back") with the same pattern, and both paths are fixed here.

AnalysisAI

A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.

Technical ContextAI

The Linux kernel's Asynchronous Transfer Mode (ATM) LANE (LAN Emulation) subsystem implements support for emulating Ethernet over ATM networks. The vulnerability resides in the lec_arp_clear_vccs() function within the ATM LANE module, which is responsible for clearing virtual circuit connections associated with ARP table entries when a VCC is closed. The root cause is a missing null pointer check (CWE-476: Null Pointer Dereference) in the cleanup logic. Specifically, the function derives vpriv from vcc->user_back without validating that this pointer remains valid across multiple iterations. When multiple lec_arp_table entries (accessed via entry->vcc or entry->recv_vcc) reference the same underlying atm_vcc object, the first call to lec_arp_clear_vccs() properly frees vpriv and nullifies vcc->user_back, but subsequent calls to the same function on different entries sharing that VCC attempt to dereference a now-NULL vpriv pointer. The affected product is the Linux kernel itself (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), with all versions prior to the fix being vulnerable through both the entry->vcc path (present since original code) and the entry->recv_vcc path (added in commit 8d9f73c0ad2f).

RemediationAI

Apply the latest Linux kernel security update from your distribution vendor, which will include the null pointer dereference fix in the lec_arp_clear_vccs() function. The upstream kernel patches are available via git.kernel.org/stable and have been backported to stable kernel branches. For immediate mitigation prior to patching, disable the ATM LANE kernel module if not required for production workloads by blacklisting it (add 'blacklist lec' to /etc/modprobe.d/ and remove any explicit module load directives). Restrict access to ATM socket creation to trusted processes using AppArmor or SELinux policies if ATM networking must remain enabled. For systems that cannot be patched immediately, monitor kernel logs for null pointer dereference panics in the lec module and ensure crash dumps are captured for forensic analysis. Coordinate patching with your kernel maintainer's release schedule, as fixes have been distributed across multiple stable branches (5.10, 5.15, 6.1, 6.6, and later releases per the commit hashes referenced).

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy