HOMEVULNERABILITIESCVE-2026-23277
NONE

CVE-2026-23277

Published: March 20, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.9th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit

teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit

through slave devices, but does not update skb->dev to the slave device

beforehand.

When a gretap tunnel is a TEQL slave, the transmit path reaches

iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0

master) and later calls iptunnel_xmit_stats(dev, pkt_len). This

function does:

get_cpu_ptr(dev->tstats)

Since teql_master_setup() does not set dev->pcpu_stat_type to

NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats

for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes

NULL + __per_cpu_offset[cpu], resulting in a page fault.

BUG: unable to handle page fault for address: ffff8880e6659018

#PF: supervisor write access in kernel mode

#PF: error_code(0x0002) - not-present page

PGD 68bc067 P4D 68bc067 PUD 0

Oops: Oops: 0002 [#1] SMP KASAN PTI

RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)

Call Trace:

<TASK>

ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)

__gre_xmit (net/ipv4/ip_gre.c:478)

gre_tap_xmit (net/ipv4/ip_gre.c:779)

teql_master_xmit (net/sched/sch_teql.c:319)

dev_hard_start_xmit (net/core/dev.c:3887)

sch_direct_xmit (net/sched/sch_generic.c:347)

__dev_queue_xmit (net/core/dev.c:4802)

neigh_direct_output (net/core/neighbour.c:1660)

ip_finish_output2 (net/ipv4/ip_output.c:237)

__ip_finish_output.part.0 (net/ipv4/ip_output.c:315)

ip_mc_output (net/ipv4/ip_output.c:369)

ip_send_skb (net/ipv4/ip_output.c:1508)

udp_send_skb (net/ipv4/udp.c:1195)

udp_sendmsg (net/ipv4/udp.c:1485)

inet_sendmsg (net/ipv4/af_inet.c:859)

__sys_sendto (net/socket.c:2206)

Fix this by setting skb->dev = slave before calling

netdev_start_xmit(), so that tunnel xmit functions see the correct

slave device with properly allocated tstats.

NVD Source

Technical Analysis

CVE-2026-23277 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23277
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 20, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23277 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.