Description
In the Linux kernel, the following vulnerability has been resolved:

bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()

bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.

BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>

Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Linux kernels that include the bareudp RFC 2135 driver, a flaw allows a NULL pointer dereference when the driver attempts to resolve a destination address after the interface has been shut down. The driver passes a NULL socket into a lookup routine in the IPv6 path, causing a kernel panic. This is a memory corruption vulnerability that results in a denial‑of‑service by bringing the system down.

Affected Systems

All Linux kernel builds that compile the bareudp driver are potentially affected. The vulnerability applies to kernel versions prior to the commit that added a NULL check in bareudp_fill_metadata_dst(). Exact version ranges are not specified, so any distribution kernel that still contains the buggy code is vulnerable until a patch is applied.

Risk and Exploitability

The EPSS score of < 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalogue, suggesting no known active exploitation. Nevertheless, the bug provides a clear trigger for a kernel crash and is rated medium severity. The most likely attack vector is the execution of a bareudp operation on a device that has been stopped, which could be triggered locally or remotely if the network interface is exposed.

Generated by OpenCVE AI on May 28, 2026 at 02:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds a NULL check to bareudp_fill_metadata_dst() and rebuild the kernel
  • Verify that bareudp interfaces are not stopped while operations may still be in flight
  • If the system cannot be patched immediately, disable the bareudp RFC 2135 driver or avoid exposing it to untrusted configurations

Generated by OpenCVE AI on May 28, 2026 at 02:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk. BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160) Call Trace: <TASK> bareudp_fill_metadata_dst (drivers/net/bareudp.c:532) do_execute_actions (net/openvswitch/actions.c:901) ovs_execute_actions (net/openvswitch/actions.c:1589) ovs_packet_cmd_execute (net/openvswitch/datapath.c:700) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.
Title bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:46:30.495Z

Reserved: 2026-05-13T15:03:33.078Z

Link: CVE-2026-45846

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:24.083

Modified: 2026-06-01T17:17:15.133

Link: CVE-2026-45846

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45846 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:45:05Z

Weaknesses