Skip to main content

Linux EUVDEUVD-2026-18680

| CVE-2026-23439 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-03 Linux GHSA-8f9w-9r3m-xjvx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
003343985f26dfefd0c94b1fe1316a2de74428b9,12aa4b73a67d95bc739995a2d6943aec2f9785c9,9f036aa0fe46c19e938f03d10e02c23f4fffae5e
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18680
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n

When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference.

The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)

This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it.

AnalysisAI

Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Linux kernel's UDP tunnel module (net/ipv4/udp_tunnel.c and net/ipv4/fou_core.c). When IPv6 support is compiled out (CONFIG_IPV6=n), the udp_sock_create6() stub function returns 0 (success) without actually allocating or initializing a socket structure. This violates the function's contract that callers depend on-they assume a successful return means a valid socket pointer was created. Callers like fou_create() then attempt to use the uninitialized pointer, triggering a NULL dereference at offset 0x18 within the socket structure. The root cause is a logic error in conditional compilation where error handling paths are not properly unified across IPv6-enabled and IPv6-disabled kernel configurations. This is classified as improper initialization of resources (related to CWE-908/CWE-1240).

RemediationAI

The primary fix is to update the Linux kernel to a version containing the udp_tunnel NULL deref fix. Apply one of the upstream commits (ba7c9ddcdd077942b798979edb035207374d4096 or equivalent) which changes udp_sock_create6() to return -EPFNOSUPPORT error code instead of success when CONFIG_IPV6 is disabled, allowing callers to properly handle the failure condition. Stable kernel releases incorporating this fix should be available from kernel.org stable branches; users should apply the latest patch release for their currently-deployed kernel series (e.g., 6.1.x, 6.6.x, etc.). As a workaround for systems requiring uptime, disable FOU (Foo-Over-UDP) functionality if not in use, though the recommended action is prompt kernel patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy