PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23286 Linux CVE debrief

A null-pointer dereference vulnerability exists in the Linux kernel's ATM LANE (LAN Emulation) module, specifically in the `lec_arp_clear_vccs()` function. The issue arises when multiple `lec_arp_table` entries share the same `atm_vcc` structure. During VCC closure, `lec_vcc_close()` iterates over ARP entries and calls `lec_arp_clear_vccs()` for each match. On the first matched entry, the function frees `vpriv` (via `vcc->user_back`) and sets it to NULL. On subsequent iterations for entries sharing the same VCC, `lec_arp_clear_vccs()` retrieves NULL from `vcc->user_back` and dereferences it through `vcc->pop = vpriv->old_pop`, causing a kernel crash. The fix adds a NULL check for `vpriv` before dereferencing, skipping cleanup if the VCC was already released by a prior iteration. The vulnerability affects Linux kernel versions from 2.6.12 through multiple stable branches, with patches available for supported releases.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-29
Advisory published
2026-03-25
Advisory updated
2026-05-29

Who should care

Organizations running Linux systems with ATM LANE (LAN Emulation over ATM) support enabled, particularly telecommunications and legacy networking environments. System administrators maintaining Linux kernels in the affected version ranges should prioritize patching. Cloud providers and managed hosting services with customer workloads on vulnerable kernel versions should apply stable updates. Security teams tracking kernel vulnerabilities identified through fuzzing tools like syzkaller should monitor this fix for inclusion in their patch management cycles.

Technical summary

The vulnerability is a NULL pointer dereference (CWE-476) in `lec_arp_clear_vccs()` within the ATM LANE (LAN Emulation) subsystem of the Linux kernel. The root cause is improper handling of shared `atm_vcc` structures across multiple `lec_arp_table` entries. When `lec_vcc_close()` iterates through ARP tables to clear VCC associations, it may invoke `lec_arp_clear_vccs()` multiple times for the same VCC if multiple entries reference it. The function uses `LEC_VCC_PRIV(vcc)` to obtain `vpriv` from `vcc->user_back`, frees it, and sets `vcc->user_back` to NULL. On subsequent invocations for the same VCC, `vpriv` is NULL, and the assignment `vcc->pop = vpriv->old_pop` triggers a null-pointer dereference. The fix introduces a NULL check for `vpriv` before the cleanup block, ensuring that already-released VCCs are not processed again. The `vcc_release_async()` call and associated flag settings are also guarded by this check to prevent redundant operations on closing sockets. The vulnerability is locally exploitable with low privileges and results in denial of service (system crash).

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your Linux kernel version. Patches are available for 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and other supported stable branches.
  • Upgrade to a fixed kernel version: 5.10.253 or later, 5.15.203 or later, 6.1.167 or later, 6.6.130 or later, 6.12.77 or later, 6.18.17 or later, or 6.19.7 or later.
  • If running kernel 7.0-rc1 or 7.0-rc2, apply the relevant patch or wait for the next release candidate that includes the fix.
  • For systems using ATM LANE (LAN Emulation over ATM), prioritize patching due to local attack vector accessibility.
  • Monitor kernel stable updates for backported fixes if running a distribution-maintained kernel.

Evidence notes

Vulnerability description and fix details sourced from NVD record and kernel.org patch commits. CVSS 3.1 score of 5.5 (MEDIUM) with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H vector. CWE-476 (NULL Pointer Dereference) identified as primary weakness. Affected versions confirmed through NVD CPE criteria spanning kernel 2.6.12 through 6.19.7 and 7.0-rc1/rc2.

Official resources

2026-03-25T11:16:23.393Z