The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23277

CVE-2026-23277: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-23277 is a buffer overflow flaw in the Linux kernel's net/sched TEQL component that causes NULL pointer dereference during tunnel transmission. This article covers technical details, affected systems, and mitigation.

Published: March 27, 2026

CVE-2026-23277 Overview

A NULL pointer dereference vulnerability has been discovered in the Linux kernel's TEQL (True Equalizer) network scheduler. The vulnerability exists in the teql_master_xmit() function within net/sched/sch_teql.c, which fails to properly update skb->dev to the slave device before calling netdev_start_xmit(). This oversight causes tunnel transmit functions to operate with an incorrect device reference, ultimately leading to a kernel page fault when attempting to access unallocated statistics structures.

Critical Impact

Systems using TEQL scheduler with GRE tunnel slaves are vulnerable to kernel panics caused by NULL pointer dereference when transmitting packets, potentially causing denial of service conditions.

Affected Products

  • Linux Kernel (multiple stable versions)
  • Systems using TEQL network scheduler with tunnel interfaces
  • Configurations with gretap tunnels as TEQL slaves

Discovery Timeline

  • 2026-03-20 - CVE CVE-2026-23277 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-23277

Vulnerability Analysis

This vulnerability resides in the TEQL (True Equalizer) qdisc scheduler implementation within the Linux kernel networking stack. The TEQL scheduler is designed to aggregate multiple network interfaces into a single virtual interface for load balancing purposes. The flaw occurs during the packet transmission path when a GRE tunnel interface is configured as a TEQL slave.

When teql_master_xmit() invokes netdev_start_xmit(skb, slave) to transmit packets through slave devices, it neglects to update skb->dev to point to the actual slave device. This becomes problematic when the slave is a gretap tunnel, as the transmission path eventually reaches iptunnel_xmit(), which saves dev = skb->dev (still incorrectly pointing to the teql0 master interface) and later calls iptunnel_xmit_stats(dev, pkt_len).

The iptunnel_xmit_stats() function attempts to access per-CPU traffic statistics via get_cpu_ptr(dev->tstats). However, since teql_master_setup() does not configure dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the kernel's network stack never allocates the tstats structure for the teql0 interface, leaving dev->tstats as NULL. The subsequent get_cpu_ptr(NULL) operation computes an invalid address by adding __per_cpu_offset[cpu] to NULL, resulting in a supervisor-mode page fault.

Root Cause

The root cause is an incomplete implementation in teql_master_xmit() that fails to update the socket buffer's device reference (skb->dev) before delegating packet transmission to slave interfaces. The TEQL master device lacks the per-CPU statistics allocation that tunnel interfaces expect, creating a NULL pointer condition when tunnel statistics functions are invoked with the wrong device context.

Attack Vector

The vulnerability can be triggered through normal network operations on systems configured with TEQL scheduler and tunnel-based slave interfaces. The following conditions must be met for exploitation:

  1. TEQL scheduler (sch_teql) must be loaded and configured
  2. A gretap or similar tunnel interface must be configured as a TEQL slave
  3. Network traffic must be transmitted through the TEQL master interface

When these conditions are satisfied and packets traverse the affected code path, the kernel will experience a page fault at address computation similar to ffff8880e6659018, resulting in an Oops with error code 0x0002 (supervisor write access to not-present page). The call trace shows the fault occurring in iptunnel_xmit() after traversing teql_master_xmit(), gre_tap_xmit(), and ip_tunnel_xmit().

Detection Methods for CVE-2026-23277

Indicators of Compromise

  • Kernel panic or Oops messages containing teql_master_xmit in the call trace
  • Page fault errors at addresses offset from NULL by per-CPU offset values
  • System crashes when transmitting traffic through TEQL interfaces with tunnel slaves
  • Kernel log entries showing BUG: unable to handle page fault with RIP pointing to iptunnel_xmit

Detection Strategies

  • Monitor kernel logs for Oops messages containing references to sch_teql.c or teql_master_xmit
  • Implement kernel crash dump analysis to identify NULL pointer dereference patterns in TEQL code paths
  • Audit system configurations for TEQL scheduler usage with tunnel slave interfaces
  • Deploy kernel function tracing (ftrace) on teql_master_xmit to detect anomalous execution patterns

Monitoring Recommendations

  • Configure kdump or other kernel crash collection mechanisms to capture diagnostic data
  • Set up alerts for kernel panic events specifically mentioning network scheduler components
  • Monitor system stability metrics for unexpected reboots on systems using TEQL configurations
  • Review network interface configurations periodically to identify potentially vulnerable TEQL+tunnel setups

How to Mitigate CVE-2026-23277

Immediate Actions Required

  • Update to a patched Linux kernel version that includes the fix for this vulnerability
  • Avoid configuring tunnel interfaces (gretap, ip_gre) as TEQL slave devices until patched
  • Consider alternative load balancing solutions such as bonding driver if TEQL with tunnels is required
  • Implement system monitoring to detect and respond to kernel panics

Patch Information

The fix has been committed to the Linux kernel stable trees. The patch modifies teql_master_xmit() to properly set skb->dev = slave before calling netdev_start_xmit(), ensuring that tunnel transmit functions receive the correct slave device with properly allocated statistics structures.

Multiple kernel stable branch commits are available:

  • Kernel Bug Fix Commit 0bad9c86
  • Kernel Bug Fix Commit 0cc0c2e6
  • Kernel Bug Fix Commit 21ea283c
  • Kernel Bug Fix Commit 57c15324
  • Kernel Bug Fix Commit 59b06d8b
  • Kernel Bug Fix Commit 81a43e80

Workarounds

  • Remove tunnel interfaces from TEQL slave configurations until the kernel is patched
  • Use alternative traffic distribution mechanisms such as the Linux bonding driver
  • If TEQL is required, avoid using tunnel-based interfaces as slaves
  • Consider network architecture changes to eliminate the TEQL+tunnel combination
bash
# Identify TEQL configurations with tunnel slaves
ip link show type teql

# Remove a tunnel from TEQL slave configuration
tc qdisc del dev gretap0 root teql0

# Verify no tunnels are configured as TEQL slaves
tc qdisc show | grep teql

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.03%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Bug Fix Commit
  • Kernel Bug Fix Commit
  • Kernel Bug Fix Commit
  • Kernel Bug Fix Commit
  • Kernel Bug Fix Commit
  • Kernel Bug Fix Commit
  • Related CVEs
  • CVE-2026-23407: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23406: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23397: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23323: Linux Kernel Buffer Overflow Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English