CVE-2026-45846 – bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()

CVE ID :CVE-2026-45846

Published : May 27, 2026, 11:16 a.m. | 1 hour, 15 minutes ago

Description :In the Linux kernel, the following vulnerability has been resolved:

bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()

bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.

BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:

bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)

Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9689 – Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows response parameter duplication – #ghi-604

CVE-2026-48906 – Extension – tassos.gr – Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla

CVE-2026-45845 – net/sched: taprio: fix NULL pointer dereference in class dump

CVE-2026-45844 – netfilter: arp_tables: fix IEEE1394 ARP payload parsing