CVE-2026-43086
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix NULL deref in ip_vs_add_service error path
When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL.
Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..]
Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put().
While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 705dd34440812735ece298eb5bc153fde9544d42 < 730663352c9178f33fcf5929f4a37c1f1ca5a693 | affected |
| Linux | Linux | 705dd34440812735ece298eb5bc153fde9544d42 < 4039959315008888dd53c37674d33351817a5166 | affected |
| Linux | Linux | 705dd34440812735ece298eb5bc153fde9544d42 < a32dabacee111cea083ddd57a03635672e1bff29 | affected |
| Linux | Linux | 705dd34440812735ece298eb5bc153fde9544d42 < c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94 | affected |
| Linux | Linux | 705dd34440812735ece298eb5bc153fde9544d42 < 9a91797e61d286805ae10a92cc48959c30800556 | affected |
| Linux | Linux | 6.2 | affected |
| Linux | Linux | 0 < 6.2 | unaffected |
| Linux | Linux | 6.6.136 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.83 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.24 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.14 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693
- https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166
- https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29
- https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94
- https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.