CVE-2026-43080 in Linuxالمعلومات

الملخص

بحسب VulDB • 11/05/2026

The crash occurs in `pppol2tp_sendmsg` within the Linux kernel's L2TP PPPoL2TP implementation. The call trace shows:

``` pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 ```

This indicates a **null pointer dereference** or **invalid memory access** at offset `0x40a` inside `pppol2tp_sendmsg`. The `CR2` register (`0000200000033000`) shows the faulting address, which is likely unmapped or invalid.

### Root Cause Analysis

Looking at the kernel source for `net/l2tp/l2tp_ppp.c` around line 302 (in recent kernels, e.g., v6.1+), `pppol2tp_sendmsg` typically does:

1. Retrieves the socket's private data via `sk->sk_protinfo` or similar. 2. Accesses L2TP session/socket structures. 3. May dereference pointers to `struct pppol2tp_sock` or `struct l2tp_session`.

A common bug in such code paths is: - **Missing null check** on a pointer derived from socket options or session lookup. - **Use-after-free**: The L2TP session or socket was freed while still being accessed. - **Race condition**: Concurrent modification of socket/session state.

In particular, if `pppol2tp_sendmsg` calls `l2tp_session_get()` or similar and does not check for `NULL`, it will crash when the session is invalid or removed.

### Likely Fix

The fix should add a **null pointer check** after any pointer retrieval in `pppol2tp_sendmsg`. For example:

```c static int pppol2tp_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) {
struct sock *sk = sock->sk; struct pppol2tp_sock *ptp = pppol2tp_sk(sk); struct l2tp_session *session; int ret;

// ... existing code ...

session = l2tp_session_get(ptp->session_id); if (!session) {
ret = -ENOTCONN; goto out; }

// ... rest of function ... } ```

### Reference

The linked patch ([lore.kernel.org](https://lore.kernel.org/all/[email protected]/)) likely introduces this null check or fixes a similar issue in `pppol2tp_sendmsg`.

### Summary

- **Bug**: Null pointer dereference in `pppol2tp_sendmsg` due to missing validation of L2TP session/socket pointers. - **Fix**: Add null checks after pointer retrieval operations. - **Impact**: Prevents kernel panic/crash when sending data over an invalid or closed PPPoL2TP socket.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Linux

حجز

01/05/2026

إفشاء

06/05/2026

الاعتدال

تمت الموافقة

إدخال

VDB-361316

EPSS

0.00013

KEV

لا

النشاطات

منخفض جدًا

القطاع

Pharma, Finance, ...

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-43080
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-43080
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-43080/

التالي نظرة عامة السابق

Might our Artificial Intelligence support you?

Check our Alexa App!