CVE-2026-43086 - Vulnerability Details

- ipvs: fix NULL deref in ip_vs_add_service error path

Description

In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix NULL deref in ip_vs_add_service error path

When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
variable sched is set to NULL. If ip_vs_start_estimator() subsequently
fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL
check (because svc->scheduler was set by the successful bind) but then
dereferences the NULL sched parameter at sched->done_service, causing a
kernel panic at offset 0x30 from NULL.

Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
Call Trace:
<TASK>
ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
nf_setsockopt (net/netfilter/nf_sockopt.c:102)
[..]

Fix by simply not clearing the local sched variable after a successful
bind. ip_vs_unbind_scheduler() already detects whether a scheduler is
installed via svc->scheduler, and keeping sched non-NULL ensures the
error path passes the correct pointer to both ip_vs_unbind_scheduler()
and ip_vs_scheduler_put().

While the bug is older, the problem popups in more recent kernels (6.2),
when the new error path is taken after the ip_vs_start_estimator() call.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a null pointer dereference in the IPVS subsystem of the Linux kernel. When an IPVS service is added, the scheduler pointer is correctly bound but can be reset to NULL if a subsequent estimator fails. The cleanup routine then dereferences this NULL scheduler pointer, causing a kernel panic. This denial‑of‑service condition brings the kernel into an irrecoverable state.

Affected Systems

Linux kernel builds that include the IPVS (IP Virtual Server) module and have not yet applied the relevant patch are vulnerable. The regression becomes observable in recent releases such as 6.2 when the new error path is exercised after a failure in ip_vs_start_estimator. Any system running a vulnerable kernel with IPVS enabled and accessible to privileged callers can be affected.

Risk and Exploitability

The CVSS score of 5.5 classifies the vulnerability as medium severity. The EPSS score is < 1 %, indicating a very low probability of exploitation according to the EPSS model. The vulnerability is not yet listed in the CISA KEV catalog, so no publicly known exploits exist. The likely attack vector requires an attacker with application‑level or privileged access to invoke nf_setsockopt and add or modify an IPVS service. If the error path is triggered, the system will crash, resulting in a denial of service that impacts availability but does not directly compromise confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`705dd34440812735ece298eb5bc153fde9544d42`	affected	< 730663352c9178f33fcf5929f4a37c1f1ca5a693
`705dd34440812735ece298eb5bc153fde9544d42`	affected	< 4039959315008888dd53c37674d33351817a5166
`705dd34440812735ece298eb5bc153fde9544d42`	affected	< a32dabacee111cea083ddd57a03635672e1bff29
`705dd34440812735ece298eb5bc153fde9544d42`	affected	< c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94
`705dd34440812735ece298eb5bc153fde9544d42`	affected	< 9a91797e61d286805ae10a92cc48959c30800556

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[705dd34440812735ece298eb5bc153fde9544d42,730663352c9178f33fcf5929f4a37c1f1ca5a693)`	affected	code_commit	—
`[705dd34440812735ece298eb5bc153fde9544d42,4039959315008888dd53c37674d33351817a5166)`	affected	code_commit	—
`[705dd34440812735ece298eb5bc153fde9544d42,a32dabacee111cea083ddd57a03635672e1bff29)`	affected	code_commit	—
`[705dd34440812735ece298eb5bc153fde9544d42,c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94)`	affected	code_commit	—
`[705dd34440812735ece298eb5bc153fde9544d42,9a91797e61d286805ae10a92cc48959c30800556)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.2`	affected	semver	—
`[0,6.2)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit preserving the scheduler pointer during the error path
Disable the IPVS subsystem if it is not required so that the vulnerable code path is unreachable
Restrict or audit privileged access to nf_setsockopt so that only trusted users can configure IPVS services

Generated by OpenCVE AI on May 7, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166
https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693
https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556
https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29
https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94
https://lore.kernel.org/linux-cve-announce/2026050616-CVE-2026-43086-2b1f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43086
https://www.cve.org/CVERecord?id=CVE-2026-43086

History

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050616-CVE-2026-43086-2b1f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43086 https://www.cve.org/CVERecord?id=CVE-2026-43086
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ipvs: fix NULL deref in ip_vs_add_service error path When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..] Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call.
Title		ipvs: fix NULL deref in ip_vs_add_service error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166 https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693 https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556 https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29 https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:20.631Z

Updated: 2026-05-06T07:40:20.631Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43086

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T10:16:21.837

Modified: 2026-05-06T13:08:07.970

Link: CVE-2026-43086

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43086 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-07T04:00:14Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object