Skip to main content

Linux Kernel EUVDEUVD-2026-27725

| CVE-2026-43164 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-vq8h-ghh5-4h7f
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:32 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().

syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0]

Since the cited commit, udp_lib_init_sock() can fail, as can udp_init_sock() and udpv6_init_sock().

Let's handle the error in udplite_sk_init() and udplitev6_sk_init().

[0]: BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 Read of size 4 at addr 0000000000000008 by task syz.2.18/2944

CPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <IRQ> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 kasan_report+0xa2/0xe0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:82 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline] udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906 udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064 ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438 ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6149 [inline] __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262 process_backlog+0x4d6/0x1160 net/core/dev.c:6614 __napi_poll+0xae/0x320 net/core/dev.c:7678 napi_poll net/core/dev.c:7741 [inline] net_rx_action+0x60d/0xdc0 net/core/dev.c:7893 handle_softirqs+0x209/0x8d0 kernel/softirq.c:622 do_softirq+0x52/0x90 kernel/softirq.c:523 </IRQ> <TASK> __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246 ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984 udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442 udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469 udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3eb/0x580 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f67b4d9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8 </TASK>

AnalysisAI

Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.

Technical ContextAI

This vulnerability exists in the Linux kernel's UDP-Lite socket implementation (net/ipv4/udp.c, net/ipv6/udp.c). UDP-Lite is a transport protocol variant that allows partial checksums for applications tolerating some data corruption. After commit b650bf0977d3, udp_lib_init_sock() gained the ability to fail, but the UDP-Lite initialization functions (udplite_sk_init/udplitev6_sk_init) lacked error handling for these failures. When socket initialization fails, udp_sk(sk)->udp_prod_queue remains NULL. Subsequent packet arrival triggers __udp_enqueue_schedule_skb() which attempts atomic_read on the NULL pointer at offset 0x8, causing a kernel null-ptr-deref and system crash. The vulnerability manifests during packet receive processing in softirq context, making it triggerable from network input. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* (mainline 6.18-6.19.5, stable 7.0). The root cause is missing return value validation for initialization functions that can now fail.

RemediationAI

Apply vendor-released patches immediately for affected kernel versions: upgrade to Linux 6.18.16 or later for 6.18.x series (commit f27030ac5bef47d997cfac05a3d188aa69f4df7f), upgrade to 6.19.6 or later for 6.19.x series (commit 470c7ca2b4c3e3a51feeb952b7f97a775b5c49cd), or apply stable 7.0 patch (commit 0f13fa087ead642ea1eb5fdb6eb092c913ef06b7). Patches add proper error handling to udplite_sk_init() and udplitev6_sk_init() to validate udp_lib_init_sock() return values. For systems requiring compensating controls before patching, disable UDP-Lite protocol support by blacklisting the udplite kernel module (echo 'blacklist udplite' >> /etc/modprobe.d/disable-udplite.conf && rmmod udplite) if not required for production workloads - this eliminates attack surface entirely but breaks any applications using IPPROTO_UDPLITE sockets. Alternatively, implement host-based firewall rules to block UDP-Lite traffic (IP protocol 136) from untrusted networks using iptables/nftables rules like 'iptables -A INPUT -p udplite -j DROP', though this requires identifying legitimate UDP-Lite flows first to avoid service disruption. Both mitigations are safe for environments not using UDP-Lite but require validation in specialized networking or telecom contexts where the protocol may be in use. Kernel update remains the definitive remediation. Advisories: https://git.kernel.org/stable/c/f27030ac5bef47d997cfac05a3d188aa69f4df7f, https://nvd.nist.gov/vuln/detail/CVE-2026-43164.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy