ipvs: fix NULL deref in ip_vs_add_service error path
Summary
| CVE | CVE-2026-43086 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-05-06 10:16:21 UTC |
|---|
| Updated | 2026-05-06 13:08:07 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix NULL deref in ip_vs_add_service error path
When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local
variable sched is set to NULL. If ip_vs_start_estimator() subsequently
fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)
with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL
check (because svc->scheduler was set by the successful bind) but then
dereferences the NULL sched parameter at sched->done_service, causing a
kernel panic at offset 0x30 from NULL.
Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)
Call Trace:
<TASK>
ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)
do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)
nf_setsockopt (net/netfilter/nf_sockopt.c:102)
[..]
Fix by simply not clearing the local sched variable after a successful
bind. ip_vs_unbind_scheduler() already detects whether a scheduler is
installed via svc->scheduler, and keeping sched non-NULL ensures the
error path passes the correct pointer to both ip_vs_unbind_scheduler()
and ip_vs_scheduler_put().
While the bug is older, the problem popups in more recent kernels (6.2),
when the new error path is taken after the ip_vs_start_estimator() call. |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected 705dd34440812735ece298eb5bc153fde9544d42 730663352c9178f33fcf5929f4a37c1f1ca5a693 git |
Not specified |
| CNA |
Linux |
Linux |
affected 705dd34440812735ece298eb5bc153fde9544d42 4039959315008888dd53c37674d33351817a5166 git |
Not specified |
| CNA |
Linux |
Linux |
affected 705dd34440812735ece298eb5bc153fde9544d42 a32dabacee111cea083ddd57a03635672e1bff29 git |
Not specified |
| CNA |
Linux |
Linux |
affected 705dd34440812735ece298eb5bc153fde9544d42 c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94 git |
Not specified |
| CNA |
Linux |
Linux |
affected 705dd34440812735ece298eb5bc153fde9544d42 9a91797e61d286805ae10a92cc48959c30800556 git |
Not specified |
| CNA |
Linux |
Linux |
affected 6.2 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.2 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.6.136 6.6.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.12.83 6.12.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.24 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.19.14 6.19.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
