CVE-2026-23293
NULL Pointer Dereference in Linux VXLAN with IPv6 Disabled
Publication date: 2026-03-25
Last updated on: 2026-04-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's VXLAN networking component when IPv6 is disabled using the 'ipv6.disable=1' boot parameter.
Because IPv6 is disabled, a critical data structure called nd_tbl is never initialized. If an IPv6 packet is then injected into the interface, the kernel function route_shortcircuit() is called, which leads to a NULL pointer dereference in neigh_lookup().
This causes a kernel crash (BUG: kernel NULL pointer dereference), resulting in an 'Oops' error and potentially system instability or denial of service.
The fix involves adding an early check in route_shortcircuit() for the IPv6 protocol to prevent this NULL dereference.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when an IPv6 packet is received on a system with IPv6 disabled.
The impact includes potential system instability, denial of service, or unexpected reboots, which can disrupt services and operations running on affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a NULL pointer dereference in the Linux kernel's vxlan module when IPv6 is disabled and an IPv6 packet is injected. Detection would involve monitoring for kernel oops or crash messages related to neigh_lookup or vxlan_xmit functions.
You can check your kernel logs for signs of this issue by using commands such as:
- dmesg | grep -i 'neigh_lookup'
- journalctl -k | grep -i 'vxlan'
- journalctl -k | grep -i 'NULL pointer dereference'
Additionally, verify if the system is booted with the 'ipv6.disable=1' parameter by checking the kernel command line:
- cat /proc/cmdline | grep ipv6.disable=1
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the immediate step is to avoid booting the system with the 'ipv6.disable=1' parameter, as this causes the nd_tbl to remain uninitialized.
Alternatively, update the Linux kernel to a version where this vulnerability is fixed, which includes an early check in route_shortcircuit() for ETH_P_IPV6 protocol to prevent the NULL pointer dereference.
If updating the kernel is not immediately possible, consider disabling or restricting VXLAN interfaces or IPv6 packet injection on affected systems to reduce exposure.