Linux Kernel Privilege Escalation Vulnerability via NULL Pointer Dereference in UDP Tunnel

A vulnerability in the Linux kernel's UDP tunnel implementation can lead to a NULL pointer dereference, causing a crash. This issue occurs when IPv6 support is disabled. The function 'udp_sock_create6' is supposed to create a socket, but instead, it returns a success status without actually creating one. As a result, functions like 'fou_create' attempt to use an uninitialized socket pointer, leading to a NULL pointer dereference. This vulnerability can be triggered by privileged users.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with IPv6 support disabled. Once the kernel is running, use a privileged account to send a Netlink message that triggers the 'fou_create' function. This will cause the system to crash, demonstrating the NULL pointer dereference vulnerability.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.