Null Pointer Dereference in Linux Kernel's BareUDP Component
CVE-2026-45846

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45846?

A vulnerability exists in the BareUDP implementation of the Linux kernel, where the function bareudp_fill_metadata_dst() fails to check for a NULL socket pointer before invoking udp_tunnel6_dst_lookup(). This lack of NULL check can lead to a kernel NULL pointer dereference error when executing the function while the device is down, resulting in operational instability. The vulnerability is primarily triggered during specific transmission paths and poses risks to system reliability and performance.

Affected Version(s)

Linux 571912c69f0ed731bd1e071ade9dc7ca4aa52065

Linux 571912c69f0ed731bd1e071ade9dc7ca4aa52065 < 35a115a204be08f97450b0389413e218268ef4a2

Linux 571912c69f0ed731bd1e071ade9dc7ca4aa52065 < 74a02921c48fcd35a7881956c9e5c52b86595f5d

References

https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d12...

https://git.kernel.org/stable/c/35a115a204be08f97450b0389...

https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45846 Data

JSON