Skip to main content

Linux Kernel EUVDEUVD-2026-27582

| CVE-2026-43086 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 20:31 vuln.today
CVSS changed
Jun 01, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix NULL deref in ip_vs_add_service error path

When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL.

Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..]

Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put().

While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call.

AnalysisAI

NULL pointer dereference in the Linux kernel IPVS subsystem causes a kernel panic during IPVS service creation failure cleanup, resulting in a full host denial of service. Affected kernels from 6.2 onward contain a logic error in ip_vs_add_service() where a successful scheduler bind sets the local sched variable to NULL; if ip_vs_start_estimator() subsequently fails, the error path calls ip_vs_unbind_scheduler() with that NULL pointer, dereferencing offset 0x30 and triggering a general protection fault. Exploitation requires local authenticated access with CAP_NET_ADMIN privileges; no public exploit is identified and EPSS is 0.02%, indicating very low exploitation probability.

Technical ContextAI

The vulnerability resides in the IPVS (IP Virtual Server) netfilter subsystem, specifically in net/netfilter/ipvs/ip_vs_sched.c (ip_vs_unbind_scheduler at line 69) and ip_vs_ctl.c (ip_vs_add_service at line 1500). IPVS is the Linux kernel transport-layer load balancer used by LVS and Kubernetes kube-proxy in ipvs mode. The root cause is CWE-476 (NULL Pointer Dereference): after ip_vs_bind_scheduler() succeeds it sets the local sched pointer to NULL, signaling that the scheduler is 'consumed' by the service. When ip_vs_start_estimator() then fails, the cleanup path invokes ip_vs_unbind_scheduler(svc, sched) with sched==NULL. The function bypasses the svc->scheduler NULL check (the bind succeeded), but unconditionally dereferences sched->done_service at offset 0x30, crashing the kernel under PREEMPT SMP with KASAN reporting null-ptr-deref in range [0x0000000000000030-0x0000000000000037]. The bug was latent in earlier kernels but became reachable in 6.2 when a new error path following ip_vs_start_estimator() was introduced. CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Update the Linux kernel to a patched stable release corresponding to your current branch: 6.6.136, 6.12.83, 6.18.24, 6.19.14, or 7.0, as confirmed by EUVD. The fix is a single-line change that retains the local sched pointer after ip_vs_bind_scheduler() succeeds, ensuring the error path passes a valid pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). As a compensating control where immediate patching is not feasible, drop CAP_NET_ADMIN from untrusted processes and containers using seccomp profiles or AppArmor/SELinux policies - note this may break legitimate IPVS-based load balancing and Kubernetes kube-proxy in ipvs mode. Alternatively, unloading the ipvs kernel module (modprobe -r ip_vs) eliminates the vulnerable code path entirely but disables all IPVS-based load balancing, which is a significant trade-off in LVS or Kubernetes environments. Upstream stable kernel patches are referenced at https://git.kernel.org/stable/c/.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27582 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy