CVE-2026-52925 in Linux
Summary
by MITRE • 06/24/2026
In the Linux kernel, the following vulnerability has been resolved:
vrf: Fix a potential NPD when removing a port from a VRF
RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations.
This assumption is not always correct and can result in a NPD [1]. There
is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations.
Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted. In the latter case an RCU grace period will pass by the time RTNL is released.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000 [...]
RIP: 0010:l3mdev_fib_table_rcu (net/l3mdev/l3mdev.c:181) [...]
Call Trace:
l3mdev_fib_table_by_index (net/l3mdev/l3mdev.c:201 net/l3mdev/l3mdev.c:189) __inet_bind (net/ipv4/af_inet.c:499 (discriminator 3)) inet_bind_sk (net/ipv4/af_inet.c:469) __sys_bind (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:1951 (discriminator 1)) __x64_sys_bind (net/socket.c:1969 (discriminator 1) net/socket.c:1967 (discriminator 1) net/socket.c:1967 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/24/2026
This vulnerability exists within the Linux kernel's Virtual Routing and Forwarding implementation where a potential null pointer dereference can occur when removing a network port from a VRF context. The issue stems from improper synchronization during the removal process of network devices from VRF configurations, creating a race condition scenario that allows RCU readers to access invalid memory references.
The technical flaw manifests when RCU readers use the netif_is_l3_slave() function to identify a network device as a VRF port and subsequently call netdev_master_upper_dev_get_rcu() to retrieve the master VRF device. The code assumes this operation will always return a valid VRF device with l3mdev operations, but this assumption fails when the device has been removed from the VRF but the RCU grace period has not yet completed. This leads to a NULL pointer dereference at l3mdev_fib_table_rcu function in net/l3mdev/l3mdev.c line 181.
The operational impact of this vulnerability is significant as it can cause kernel panics and system crashes when network operations attempt to bind sockets on interfaces that have been improperly removed from VRF configurations. The attack surface includes any system utilizing VRF functionality with dynamic port assignment and removal, particularly affecting network infrastructure and server environments where network virtualization is employed. This vulnerability directly maps to CWE-476 which describes NULL pointer dereference conditions in software systems.
The fix implements proper RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag to ensure that all readers have completed their operations before proceeding with the removal process. However, the solution specifically excludes synchronization when a network device is removed as part of its own deletion or when the VRF device itself is being deleted, since in these cases a natural RCU grace period will occur before the RTNL lock is released. This approach maintains performance while ensuring memory safety during normal operations.
This vulnerability also aligns with ATT&CK technique T1059.006 for kernel-mode rootkits and privilege escalation through system call manipulation. The null pointer dereference can be exploited by malicious actors to cause denial of service attacks against network services or to potentially gain elevated privileges if combined with other exploitation techniques targeting the kernel's networking subsystem.
The fix addresses the fundamental race condition between RCU reader operations and device removal processes in the VRF subsystem, ensuring proper memory synchronization during network interface management. This remediation follows established kernel security practices for preventing use-after-free conditions and maintaining data integrity in concurrent network device operations. The solution maintains backward compatibility while strengthening the kernel's robustness against improper device state transitions that could lead to system instability or exploitation opportunities.
The vulnerability demonstrates how complex kernel subsystems can introduce subtle race conditions that are difficult to detect through standard testing procedures, particularly in virtualized networking environments where dynamic device assignment and removal are common operations. This type of flaw highlights the importance of proper synchronization primitives in kernel code and the need for comprehensive testing of concurrent access patterns in network device management routines.
Security researchers should monitor for similar vulnerabilities in other kernel subsystems that utilize RCU mechanisms for device state management, as this pattern of improper synchronization can occur in various contexts where device removal operations interact with concurrent readers. The fix serves as a reference implementation for handling similar race conditions in other kernel networking components that require proper synchronization between device state changes and concurrent access patterns.