Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-43086— ipvs: fix NULL deref in ip_vs_add_service error path

AI Predicted 7.8 Difficulty: Moderate EPSS 0.12% · P2

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinux705dd34440812735ece298eb5bc153fde9544d42< 730663352c9178f33fcf5929f4a37c1f1ca5a693affected
705dd34440812735ece298eb5bc153fde9544d42< 4039959315008888dd53c37674d33351817a5166affected
705dd34440812735ece298eb5bc153fde9544d42< a32dabacee111cea083ddd57a03635672e1bff29affected
705dd34440812735ece298eb5bc153fde9544d42< c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94affected
705dd34440812735ece298eb5bc153fde9544d42< 9a91797e61d286805ae10a92cc48959c30800556affected
6.2affected
< 6.2unaffected
6.6.136≤ 6.6.*unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43086

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ipvs: fix NULL deref in ip_vs_add_service error path
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ipvs: fix NULL deref in ip_vs_add_service error path When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..] Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ip_vs_add_service错误路径中sched变量被设为NULL后仍被解引用,导致空指针解引用和内核崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 705dd34440812735ece298eb5bc153fde9544d42 ~ 730663352c9178f33fcf5929f4a37c1f1ca5a693 -
LinuxLinux 6.2 -

II. Public POCs for CVE-2026-43086

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43086

登录查看更多情报信息。

Patches & Fixes for CVE-2026-43086 (5)

Same Patch Batch · Linux · 2026-05-06 · 224 CVEs total

CVE-2026-432089.8 CRITICALnet: do not pass flow_id to set_rps_cpu()
CVE-2026-431259.8 CRITICALdlm: validate length in dlm_search_rsb_tree
CVE-2026-431989.8 CRITICALtcp: fix potential race in tcp_v6_syn_recv_sock()
CVE-2026-431869.8 CRITICALipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
CVE-2026-431859.8 CRITICALksmbd: fix signededness bug in smb_direct_prepare_negotiation()
CVE-2026-431149.4 CRITICALnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
CVE-2026-431979.1 CRITICALnetconsole: avoid OOB reads, msg is not nul-terminated
CVE-2026-431179.1 CRITICALbtrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
CVE-2026-430839.1 CRITICALnet: ioam6: fix OOB and missing lock
CVE-2026-432158.8 HIGHcifs: Fix locking usage for tcon fields
CVE-2026-432328.8 HIGHnet: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
CVE-2026-431728.8 HIGHwifi: iwlwifi: fix 22000 series SMEM parsing
CVE-2026-432838.8 HIGHnet: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
CVE-2026-431768.8 HIGHwifi: rtw89: pci: validate release report content before using for RTL8922DE
CVE-2026-431128.8 HIGHfs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
CVE-2026-431138.8 HIGHwifi: wl1251: validate packet IDs before indexing tx_frames
CVE-2026-432498.8 HIGH9p/xen: protect xen_9pfs_front_free against concurrent calls
CVE-2026-431108.8 HIGHwifi: brcmfmac: validate bsscfg indices in IF events
CVE-2026-432398.8 HIGHsmb: client: prevent races in ->query_interfaces()
CVE-2026-431588.8 HIGHxfs: fix freemap adjustments when adding xattrs to leaf blocks

Showing top 20 of 224 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-43086

No comments yet


Leave a comment