CVE-2026-43086

EUVD-2026-27582
In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix NULL deref in ip_vs_add_service error path

When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
variable sched is set to NULL.  If ip_vs_start_estimator() subsequently
fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
with sched == NULL.  ip_vs_unbind_scheduler() passes the cur_sched NULL
check (because svc->scheduler was set by the successful bind) but then
dereferences the NULL sched parameter at sched->done_service, causing a
kernel panic at offset 0x30 from NULL.

 Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
 KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
 RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
 Call Trace:
  <TASK>
  ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
  do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
  nf_setsockopt (net/netfilter/nf_sockopt.c:102)
  [..]

Fix by simply not clearing the local sched variable after a successful
bind.  ip_vs_unbind_scheduler() already detects whether a scheduler is
installed via svc->scheduler, and keeping sched non-NULL ensures the
error path passes the correct pointer to both ip_vs_unbind_scheduler()
and ip_vs_scheduler_put().

While the bug is older, the problem popups in more recent kernels (6.2),
when the new error path is taken after the ip_vs_start_estimator() call.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.2.1 ≤
𝑥
< 6.6.136
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.83
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.24
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.14
linuxlinux_kernel
6.2
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
linuxlinux_kernel
7.0:rc7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel-livepatch-6.12.83-113.160
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.18.25-55.108
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-55.108.amzn2023
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166
https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693
https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556
https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29
https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94