SB2026032078 - NULL Pointer Dereference in Linux kernel sched

Description

This security bulletin contains information about 1 security vulnerability.

1) NULL Pointer Dereference (CVE-ID: CVE-2026-23277)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the teql network scheduler component when handling packet transmission through a gretap tunnel configured as a TEQL slave. A remote attacker can send a specially crafted network request to trigger a NULL pointer dereference in iptunnel_xmit, leading to a kernel page fault and system crash.

Exploitation does not require authentication or elevated privileges. The issue arises because the skb->dev field is not updated to the slave device before transmission, causing iptunnel_xmit_stats to access uninitialized tstats via a NULL pointer.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4
• https://git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466
• https://git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27d