CVE-2026-23277 Affecting gfs2-kmp-default package, versions <6.12.0-160000.28.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES1600-GFS2KMPDEFAULT-16333153
- published1 May 2026
- disclosed20 Apr 2026
Introduced: 20 Apr 2026
NewCVE-2026-23277 (opens in a new tab)How to fix?
Upgrade SLES:16.0.0 gfs2-kmp-default to version 6.12.0-160000.28.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gfs2-kmp-default package and not the gfs2-kmp-default package as distributed by SLES.
See How to fix? for SLES:16.0.0 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand.
When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does:
get_cpu_ptr(dev->tstats)
Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault.
BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206)
Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.
References
- https://www.suse.com/security/cve/CVE-2026-23277.html
- https://bugzilla.suse.com/1259997
- https://git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4
- https://git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466
- https://git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27d
- https://git.kernel.org/stable/c/57c153249143333bbf4ecf927bdf8aa2696ee397
- https://git.kernel.org/stable/c/59b06d8b9bdb6b64b3c534c18da68bce5ccd31be
- https://git.kernel.org/stable/c/81a43e8005366f16e629d8c95dfe05beaa8d36a7
- https://git.kernel.org/stable/c/383493b9940e3d1b5517424081b3e072e20ec43c
- https://git.kernel.org/stable/c/6b1f563d670162e188a0f2aec39c24b67b106e17