CVE-2026-23381
NULL Pointer Dereference in Linux Bridge with IPv6 Disabled
Publication date: 2026-03-25
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 4.15 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 4.15.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's network bridge code when IPv6 is disabled using the 'ipv6.disable=1' boot parameter.
Because IPv6 is disabled, a critical data structure called nd_tbl is never initialized. If the neigh_suppress feature is enabled and an ICMPv6 Neighbor Discovery packet arrives at the bridge, the kernel attempts to access this uninitialized nd_tbl, leading to a NULL pointer dereference.
This results in a kernel crash (BUG: kernel NULL pointer dereference) due to the kernel trying to dereference a NULL pointer in the neigh_lookup function.
The fix involves disabling Neighbor Discovery suppression when IPv6 is disabled by replacing the IS_ENABLED(IPV6) check with ipv6_mod_enabled(), preventing the NULL dereference.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when processing certain network packets if IPv6 is disabled and neigh_suppress is enabled.
A kernel crash can lead to system instability, denial of service, and potential downtime for systems relying on the affected Linux kernel bridge functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the Linux kernel is booted with the 'ipv6.disable=1' parameter and neigh_suppress is enabled, leading to a kernel NULL pointer dereference upon receiving an ICMPv6 Neighbor Discovery packet on a bridge.
To detect this vulnerability on your system, you can check if the kernel is booted with the 'ipv6.disable=1' parameter and if neigh_suppress is enabled on the bridge.
- Check kernel boot parameters for IPv6 disablement: grep 'ipv6.disable' /proc/cmdline
- Check if neigh_suppress is enabled on the bridge interface: sysctl net.bridge.bridge-nf-call-iptables (or relevant bridge neigh_suppress settings)
Additionally, monitor kernel logs for NULL pointer dereference errors related to neigh_lookup or br_do_suppress_nd functions, which may appear as Oops messages in dmesg or /var/log/kern.log.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by disabling Neighbor Discovery suppression when IPv6 is disabled.
Immediate mitigation steps include:
- Avoid booting the system with the 'ipv6.disable=1' kernel parameter if possible.
- If IPv6 must be disabled, consider disabling neigh_suppress on the bridge to prevent the NULL pointer dereference.
- Apply the kernel patch or update to a version where the fix replacing IS_ENABLED(IPV6) with ipv6_mod_enabled() has been implemented.