CVE-2026-45846 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()

bareudp_fill_metadata_dst() passes bareudp->sock to
udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.
The socket is only created in bareudp_open() and NULLed in
bareudp_stop(), so calling this function while the device is down
triggers a NULL dereference via sock->sk.

BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)
Call Trace:
<TASK>
bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)
do_execute_actions (net/openvswitch/actions.c:901)
ovs_execute_actions (net/openvswitch/actions.c:1589)
ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)
genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)
genl_rcv_msg (net/netlink/genetlink.c:1209)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
</TASK>

Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths
in the same driver.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00115.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< 31e010a106ff6cd8ccac4bfee547fd3fa1015574
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< 55193df8d6d33318435f19572bf5ea47a22eee28
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< 51eef9c072aa3405a6823a96ae666d38a3b48750
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< a0f4e4e8e0f5e24ddd83e3d1221732621cf34636
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< 35a115a204be08f97450b0389413e218268ef4a2
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< 74a02921c48fcd35a7881956c9e5c52b86595f5d
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< 638905520fc4fae6a80991563f264131545ba3df
`571912c69f0ed731bd1e071ade9dc7ca4aa52065`	affected	< aa6c6d9ee064aabfede4402fd1283424e649ca19

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

Source	ID	Title
Debian DSA	DSA-6355-1	linux security update

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574
https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2
https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750
https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28
https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df
https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d
https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636
https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19
https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45846-ddca@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45846
https://www.cve.org/CVERecord?id=CVE-2026-45846

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574 https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750 https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45846-ddca@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45846 https://www.cve.org/CVERecord?id=CVE-2026-45846
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk. BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160) Call Trace: <TASK> bareudp_fill_metadata_dst (drivers/net/bareudp.c:532) do_execute_actions (net/openvswitch/actions.c:901) ovs_execute_actions (net/openvswitch/actions.c:1589) ovs_packet_cmd_execute (net/openvswitch/datapath.c:700) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.
Title		bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2 https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636 https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T09:24:52.122Z

Updated: 2026-06-14T17:46:30.495Z

Reserved: 2026-05-13T15:03:33.078Z

Link: CVE-2026-45846

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:24.083

Modified: 2026-06-17T10:52:35.943

Link: CVE-2026-45846

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45846 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T02:45:05Z

Weaknesses

CWE-476

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object