CVE-2026-43086

In the Linux kernel, the following vulnerability has been resolved:

ipvs: fix NULL deref in ip vs add service error path

When ip vs bind scheduler() succeeds in ip vs add service(), the local variable sched is set to NULL. If ip vs start estimator() subsequently fails, the out err cleanup calls ip vs unbind scheduler(svc, sched) with sched == NULL. ip vs unbind scheduler() passes the cur sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done service, causing a kernel panic at offset 0x30 from NULL.

Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip vs unbind scheduler (net/netfilter/ipvs/ip vs sched.c:69) Call Trace: ip vs add service.isra.0 (net/netfilter/ipvs/ip vs ctl.c:1500) do ip vs set ctl (net/netfilter/ipvs/ip vs ctl.c:2809) nf setsockopt (net/netfilter/nf sockopt.c:102) [..]

Fix by simply not clearing the local sched variable after a successful bind. ip vs unbind scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip vs unbind scheduler() and ip vs scheduler put().

While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip vs start estimator() call.