{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-20T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit",
    "id" : "2449560",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449560"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit\nteql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit\nthrough slave devices, but does not update skb->dev to the slave device\nbeforehand.\nWhen a gretap tunnel is a TEQL slave, the transmit path reaches\niptunnel_xmit() which saves dev = skb->dev (still pointing to teql0\nmaster) and later calls iptunnel_xmit_stats(dev, pkt_len). This\nfunction does:\nget_cpu_ptr(dev->tstats)\nSince teql_master_setup() does not set dev->pcpu_stat_type to\nNETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats\nfor teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes\nNULL + __per_cpu_offset[cpu], resulting in a page fault.\nBUG: unable to handle page fault for address: ffff8880e6659018\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nPGD 68bc067 P4D 68bc067 PUD 0\nOops: Oops: 0002 [#1] SMP KASAN PTI\nRIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)\nCall Trace:\n<TASK>\nip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n__gre_xmit (net/ipv4/ip_gre.c:478)\ngre_tap_xmit (net/ipv4/ip_gre.c:779)\nteql_master_xmit (net/sched/sch_teql.c:319)\ndev_hard_start_xmit (net/core/dev.c:3887)\nsch_direct_xmit (net/sched/sch_generic.c:347)\n__dev_queue_xmit (net/core/dev.c:4802)\nneigh_direct_output (net/core/neighbour.c:1660)\nip_finish_output2 (net/ipv4/ip_output.c:237)\n__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)\nip_mc_output (net/ipv4/ip_output.c:369)\nip_send_skb (net/ipv4/ip_output.c:1508)\nudp_send_skb (net/ipv4/udp.c:1195)\nudp_sendmsg (net/ipv4/udp.c:1485)\ninet_sendmsg (net/ipv4/af_inet.c:859)\n__sys_sendto (net/socket.c:2206)\nFix this by setting skb->dev = slave before calling\nnetdev_start_xmit(), so that tunnel xmit functions see the correct\nslave device with properly allocated tstats.", "A flaw was found in the Linux kernel. A null pointer dereference vulnerability exists in the Traffic Equalizer (TEQL) module's interaction with the IP tunneling framework. When a Generic Routing Encapsulation (GRE) tap tunnel acts as a TEQL slave, the system attempts to access uninitialized statistics data, leading to a system crash. This can result in a Denial of Service (DoS)." ],
  "statement" : "A NULL pointer dereference can occur in the tunnel transmit stats path when a gretap device is configured as a TEQL slave. Teql_master_xmit forwards packets to the slave via netdev_start_xmit but fails to update skb dev to the slave device. As a result iptunnel_xmit reads skb dev as the teql0 master and later calls iptunnel_xmit_stats which uses dev tstats. The teql0 master does not allocate tstats so dev tstats is NULL and get_cpu_ptr on the NULL pointer triggers a page fault and crashes the kernel. The issue is not directly network reachable from outside. It requires a specific local network configuration and can be triggered by sending traffic once the devices are set up. Impact is denial of service via kernel crash.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23277\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23277\nhttps://lore.kernel.org/linux-cve-announce/2026032036-CVE-2026-23277-e478@gregkh/T" ],
  "name" : "CVE-2026-23277",
  "csaw" : false
}