CVE-2026-23293
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Linux VXLAN with IPv6 Disabled

Publication date: 2026-03-25

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: <TASK> vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23293
EUVD
EUVD-2026-15224
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 3.12 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's VXLAN networking component when IPv6 is disabled using the 'ipv6.disable=1' boot parameter.

Because IPv6 is disabled, a critical data structure called nd_tbl is never initialized. If an IPv6 packet is then injected into the interface, the kernel function route_shortcircuit() is called, which leads to a NULL pointer dereference in neigh_lookup().

This causes a kernel crash (BUG: kernel NULL pointer dereference), resulting in an 'Oops' error and potentially system instability or denial of service.

The fix involves adding an early check in route_shortcircuit() for the IPv6 protocol to prevent this NULL dereference.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when an IPv6 packet is received on a system with IPv6 disabled.

The impact includes potential system instability, denial of service, or unexpected reboots, which can disrupt services and operations running on affected systems.

Detection Guidance

This vulnerability involves a NULL pointer dereference in the Linux kernel's vxlan module when IPv6 is disabled and an IPv6 packet is injected. Detection would involve monitoring for kernel oops or crash messages related to neigh_lookup or vxlan_xmit functions.

You can check your kernel logs for signs of this issue by using commands such as:

  • dmesg | grep -i 'neigh_lookup'
  • journalctl -k | grep -i 'vxlan'
  • journalctl -k | grep -i 'NULL pointer dereference'

Additionally, verify if the system is booted with the 'ipv6.disable=1' parameter by checking the kernel command line:

  • cat /proc/cmdline | grep ipv6.disable=1
Mitigation Strategies

To mitigate this vulnerability, the immediate step is to avoid booting the system with the 'ipv6.disable=1' parameter, as this causes the nd_tbl to remain uninitialized.

Alternatively, update the Linux kernel to a version where this vulnerability is fixed, which includes an early check in route_shortcircuit() for ETH_P_IPV6 protocol to prevent the NULL pointer dereference.

If updating the kernel is not immediately possible, consider disabling or restricting VXLAN interfaces or IPv6 packet injection on affected systems to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart