CVE-2026-23277

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's networking subsystem related to the TEQL (Traffic EQuation Language) scheduler. Specifically, a NULL pointer dereference can occur within the iptunnel xmit function when handling transmissions on a TEQL slave interface, such as a GRE tunnel. The issue arises because the skb->dev pointer is not updated to point to the slave device before being passed to netdev start xmit. This leads to iptunnel xmit stats being called with an invalid device pointer, resulting in a page fault when attempting to access the device's statistics (dev->tstats). The teql master xmit function calls netdev start xmit(skb, slave) to transmit through slave devices, but it does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel xmit() which saves dev = skb->dev (still pointing to the teql0 master) and later calls iptunnel xmit stats(dev, pkt len). This function attempts to access dev->tstats, which is NULL because teql master setup() does not set dev->pcpu stat type to NETDEV PCPU STAT TSTATS.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.