PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23277 Linux CVE debrief

CVE-2026-23277 is a Linux kernel networking bug in the TEQL transmit path. When TEQL forwards traffic to a slave device, it fails to update skb->dev before calling netdev_start_xmit(). If the slave is a gretap tunnel, the tunnel transmit path later uses the stale master device pointer, reaches iptunnel_xmit_stats(), and dereferences dev->tstats even though teql0 does not have the per-CPU tstats allocation enabled. The result is a NULL pointer dereference and kernel page fault, which can crash the host.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-04-18
Advisory published
2026-03-20
Advisory updated
2026-04-18

Who should care

Linux kernel maintainers, distribution security teams, and operators who use TEQL together with tunnel or gretap slave devices should treat this as relevant. It is most important for environments where the affected transmit path can be exercised.

Technical summary

The bug is caused by a mismatch between the device associated with the skb and the actual slave device used for transmission. teql_master_xmit() calls netdev_start_xmit(skb, slave) without first setting skb->dev = slave. Downstream tunnel code such as iptunnel_xmit() saves skb->dev as the device context and later calls iptunnel_xmit_stats(dev, pkt_len), which uses get_cpu_ptr(dev->tstats). Because teql_master_setup() does not allocate tstats for teql0, dev->tstats is NULL, leading to a page fault. The fix is to assign skb->dev to the slave before transmit so the tunnel path sees the correct device context.

Defensive priority

High for systems that use TEQL with tunnel slaves, because the flaw can produce a kernel oops and availability loss. Even though the supplied corpus does not provide a CVSS score, the crash impact makes patching a priority for exposed configurations.

Recommended defensive actions

  • Apply the Linux kernel/stable updates that include the TEQL transmit-path fix referenced in the supplied kernel commit links.
  • Review whether any hosts use TEQL with gretap or other tunnel slave devices, and prioritize those systems for maintenance.
  • After patching, validate that networking stacks which rely on TEQL and tunnel forwarding are functioning as expected.
  • Monitor kernel logs for NULL pointer dereferences, page faults, or Oops messages involving iptunnel_xmit, ip_tunnel_xmit, or sch_teql.
  • If you operate a distro kernel, track vendor advisories that backport the fix into packaged kernel builds.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD record, and the official kernel stable references listed in the source corpus. The record states that teql_master_xmit() forwards to a slave without updating skb->dev, that iptunnel_xmit() then reaches iptunnel_xmit_stats(dev, pkt_len), and that dev->tstats is NULL because teql0 does not get NETDEV_PCPU_STAT_TSTATS allocation. The supplied NVD item is marked 'Undergoing Analysis' and no CVSS vector or score is provided in the corpus.

Official resources

CVE published 2026-03-20T09:16:13.533Z and last modified 2026-04-18T09:16:15.980Z, matching the supplied timeline fields. NVD also lists the record as 'Undergoing Analysis' in the source corpus.