Alphonse Kurian

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** A null pointer dereference vulnerability was found in the Linux kernel's GRO (Generic Receive Offload) handler. The issue occurs when the `fou gro receive` function is called while shutting down a host, and the `sk->sk user data` pointer is null. This happens because the `udp tunnel sock release` function sets `sk->sk user data` to null when the tunnel socket is destroyed after a single RCU (Read-Copy Update) grace period. As a result, the `fou gro receive` function may attempt to access the null pointer, leading to a kernel crash. To mitigate this issue, the `rcu dereference sk user data` function should be used in `fou from sock` to ensure that the `sk->sk user data` pointer is properly referenced. Additionally, null checks should be added to the FOU GRO handlers to prevent the null pointer dereference. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.52 or later. If an update is not possible, consider applying the patch that adds the `rcu dereference sk user data` function and null checks to the FOU GRO handlers. As a temporary workaround, consider disabling the GRO feature until a patch is available.