In the Linux kernel, the following vulnerability has been resolved:
bareudp: fix NULL pointer dereference in bareudpfillmetadata_dst()
bareudpfillmetadatadst() passes bareudp->sock to udptunnel6dstlookup() in the IPv6 path without a NULL check. The socket is only created in bareudpopen() and NULLed in bareudpstop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.
BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udptunnel6dstlookup (net/ipv6/ip6udptunnel.c:160) Call Trace: <TASK> bareudpfillmetadatadst (drivers/net/bareudp.c:532) doexecuteactions (net/openvswitch/actions.c:901) ovsexecuteactions (net/openvswitch/actions.c:1589) ovspacketcmdexecute (net/openvswitch/datapath.c:700) genlfamilyrcvmsgdoit (net/netlink/genetlink.c:1114) genlrcvmsg (net/netlink/genetlink.c:1209) netlinkrcvskb (net/netlink/afnetlink.c:2550) </TASK>
Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45846.json"
}