CVE-2026-23286

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel's ATM LANE (LAN Emulation) module contains a null pointer dereference issue in the lec arp clear vccs() function. This flaw occurs when the underlying Virtual Circuit (VCC) is closed and the function is called multiple times for ARP entries sharing the same VCC. Specifically, after the associated vpriv (which is vcc->user back) is freed in the first iteration, a subsequent iteration attempts to dereference a NULL vpriv obtained from vcc->user back via LEC VCC PRIV(vcc), leading to a crash. The issue affects both the entry->vcc and entry->recv vcc paths, with the latter added in a later commit.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.