CVE-2026-52925 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

vrf: Fix a potential NPD when removing a port from a VRF

RCU readers that identified a net device as a VRF port using
netif_is_l3_slave() assume that a subsequent call to
netdev_master_upper_dev_get_rcu() will return a VRF device. They then
continue to dereference its l3mdev operations.

This assumption is not always correct and can result in a NPD [1]. There
is no RCU synchronization when removing a port from a VRF, so it is
possible for an RCU reader to see a new master device (e.g., a bridge)
that does not have l3mdev operations.

Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE
flag. Skip this synchronization when a net device is removed from a VRF
as part of its deletion and when the VRF device itself is deleted. In
the latter case an RCU grace period will pass by the time RTNL is
released.

[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181)
[...]
Call Trace:
<TASK>
l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189)
__inet_bind (net/ipv4/af_inet.c:499 (discriminator 3))
inet_bind_sk (net/ipv4/af_inet.c:469)
__sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1))
__x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1))
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Linux kernel’s VRF (Virtual Routing and Forwarding) subsystem allows an RCU reader to observe a stale master device after a port is detached from a VRF. The kernel incorrectly assumes that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device, then dereferences its l3mdev operations without confirming the device’s validity. The flaw can lead to a NULL pointer dereference, causing a kernel crash and resulting in a denial of service. The described vulnerability is a classic NULL pointer dereference (CWE‑476).

Affected Systems

The issue affects any Linux kernel built from the mainline tree prior to the patch that adds RCU synchronization for VRF port removal. Vendors ship kernel versions that have not yet included the fix, and the vulnerability is present in the generic Linux kernel distribution as it stands in the Linux kernel source tree. Because the CVE references source code commits, the flaw is purely a kernel software bug and not tied to a specific distribution build or version range in the data.

Risk and Exploitability

The CVSS score is not disclosed, and EPSS is unavailable, so the exact exploitation probability is unknown. However, the flaw requires the ability to remove a port from a VRF, which generally demands root or equivalent privilege on the local system. Therefore the likely attack vector is local, and the primary impact is a system crash that disrupts availability. The fix adds RCU synchronization to prevent the stale pointer scenario, and the vulnerability has not yet been observed in the wild, as evidenced by its absence from the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< 2c022f582fd16a470df6ed9e7fb7e9fc48946d49
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< 4ab6fc60ed5a0344b60711b09bff1dc238d8d6a4
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< 468defa0b70902a22f4478c1207624bc1b31c124
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< 3db8d078f7f652379ee394132b169d304f6eb4c1
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< 8c2b792f04a3db97c9d8d2a45817e93f8884baf5
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< a7a97f2303e63ede105c1d55ef53dc497364e11d
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< d47204c127992da0c976ac9747070a575912e0fe
`fdeea7be88b12742bfd50d9e19a06c0d2e702400`	affected	< 2674d603a9e6970463b2b9ebcf8e31e90beae169

Linux

affected

Version	Status	Constraints
`4.12`	affected	—
`0`	unaffected	< 4.12
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,2c022f582fd16a470df6ed9e7fb7e9fc48946d49)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,4ab6fc60ed5a0344b60711b09bff1dc238d8d6a4)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,468defa0b70902a22f4478c1207624bc1b31c124)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,3db8d078f7f652379ee394132b169d304f6eb4c1)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,8c2b792f04a3db97c9d8d2a45817e93f8884baf5)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,a7a97f2303e63ede105c1d55ef53dc497364e11d)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,d47204c127992da0c976ac9747070a575912e0fe)`	affected	code_commit	—
`[fdeea7be88b12742bfd50d9e19a06c0d2e702400,2674d603a9e6970463b2b9ebcf8e31e90beae169)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.12`	affected	generic	—
`[0,4.12)`	unaffected	generic	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to the latest release that includes the RCU synchronization patch for VRF port removal.
If an immediate kernel upgrade is not feasible, limit VRF port removal to privileged users and disable configuration changes to VRFs during the patching window.
Continuously monitor system logs for kernel panic or NULL pointer dereference messages related to l3mdev and apply network segmentation to mitigate any forced port removal during the patch deployment.

Generated by OpenCVE AI on June 24, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00164.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2674d603a9e6970463b2b9ebcf8e31e90beae169
https://git.kernel.org/stable/c/2c022f582fd16a470df6ed9e7fb7e9fc48946d49
https://git.kernel.org/stable/c/3db8d078f7f652379ee394132b169d304f6eb4c1
https://git.kernel.org/stable/c/468defa0b70902a22f4478c1207624bc1b31c124
https://git.kernel.org/stable/c/4ab6fc60ed5a0344b60711b09bff1dc238d8d6a4
https://git.kernel.org/stable/c/8c2b792f04a3db97c9d8d2a45817e93f8884baf5
https://git.kernel.org/stable/c/a7a97f2303e63ede105c1d55ef53dc497364e11d
https://git.kernel.org/stable/c/d47204c127992da0c976ac9747070a575912e0fe

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: vrf: Fix a potential NPD when removing a port from a VRF RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations. This assumption is not always correct and can result in a NPD [1]. There is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations. Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted. In the latter case an RCU grace period will pass by the time RTNL is released. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181) [...] Call Trace: <TASK> l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189) __inet_bind (net/ipv4/af_inet.c:499 (discriminator 3)) inet_bind_sk (net/ipv4/af_inet.c:469) __sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1)) __x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Title		vrf: Fix a potential NPD when removing a port from a VRF
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2674d603a9e6970463b2b9ebcf8e31e90beae169 https://git.kernel.org/stable/c/2c022f582fd16a470df6ed9e7fb7e9fc48946d49 https://git.kernel.org/stable/c/3db8d078f7f652379ee394132b169d304f6eb4c1 https://git.kernel.org/stable/c/468defa0b70902a22f4478c1207624bc1b31c124 https://git.kernel.org/stable/c/4ab6fc60ed5a0344b60711b09bff1dc238d8d6a4 https://git.kernel.org/stable/c/8c2b792f04a3db97c9d8d2a45817e93f8884baf5 https://git.kernel.org/stable/c/a7a97f2303e63ede105c1d55ef53dc497364e11d https://git.kernel.org/stable/c/d47204c127992da0c976ac9747070a575912e0fe

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:19.351Z

Updated: 2026-06-24T07:14:19.351Z

Reserved: 2026-06-09T07:44:35.368Z

Link: CVE-2026-52925

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object