Impact
In the Linux kernel, an improper handling of the skb->dev field in the UDP receive path can cause a general protection fault. The field, repurposed as dev_scratch during an in‑flight UDP packet, remains non‑NULL when a sockmap verdict program performs a socket lookup. The lookup function interprets this value as a net_device pointer, dereferencing an invalid memory address and crashing the kernel with an oops. The crash degrades system availability.
Affected Systems
The issue affects all Linux kernel implementations that incorporate the buggy udp code before the patch that map verdict. The commit references in the advisory (e.g., 1b585673a2249ac683ba767e0b6) represent the listed, so any supported kernel that has not yet applied this change is vulnerable.
Risk and Exploitability
The vulnerability is exploitable by an attacker who can craft a UDP packet that triggers a sockmap verdict program using socket‑lookup helpers. The EPSS score is the vulnerability is not listed in the KEV catalog, suggesting no publicly documented exploits. The code path is reachable through normal networking operations and BPF interfaces, and because the fault occurs in softirq it is straightforward to trigger a panic once the conditions are satisfied, providing a deterministic denial of service vector. The CVSS score of 7.5 indicates high severity.
OpenCVE Enrichment
Debian DLA