Impact
A null pointer dereference occurs in the BPF helper function bpf_lwt_xmit_push_encap when a socket buffer is constructed by bpf_prog_test_run_skb without initializing skb->_skb_refdst. The helper then accesses skb_dst(skb)->dev, which dereferences a null pointer and causes a kernel panic. Triggering this bug requires execution of a malicious BPF program via the test run interface, leading to a complete system crash. The flaw originates from improper initialization of a kernel data structure, aligning with CWE-824.
Affected Systems
The vulnerability affects Linux kernel implementations. The vendor list identifies only Linux:Linux, indicating that any distribution shipping a kernel containing the unpatched code may be affected. No explicit kernel versions are enumerated; users should verify that their kernel includes the 2026-53111 patch.
Risk and Exploitability
The CVSS score is 5.5, indicating medium severity. The EPSS score is less than 1%, implying a very low but nonzero probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is the BPF test run system call; an attacker must be able to load a BPF program that exercises the vulnerable helper, which can be achieved by a local privileged user or through higher-level interfaces that internally invoke bpf_prog_test_run_skb. Although no public exploit is reported, the absence from KEV does not eliminate the risk of a local or remote attacker gaining elevated privileges to trigger the crash.
OpenCVE Enrichment
Debian DLA