CVE-2026-23381
Received Received - Intake
NULL Pointer Dereference in Linux Bridge with IPv6 Disabled

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23381
EUVD
EUVD-2026-15374
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.15
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 4.15.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's network bridge code when IPv6 is disabled using the 'ipv6.disable=1' boot parameter.

Because IPv6 is disabled, a critical data structure called nd_tbl is never initialized. If the neigh_suppress feature is enabled and an ICMPv6 Neighbor Discovery packet arrives at the bridge, the kernel attempts to access this uninitialized nd_tbl, leading to a NULL pointer dereference.

This results in a kernel crash (BUG: kernel NULL pointer dereference) due to the kernel trying to dereference a NULL pointer in the neigh_lookup function.

The fix involves disabling Neighbor Discovery suppression when IPv6 is disabled by replacing the IS_ENABLED(IPV6) check with ipv6_mod_enabled(), preventing the NULL dereference.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when processing certain network packets if IPv6 is disabled and neigh_suppress is enabled.

A kernel crash can lead to system instability, denial of service, and potential downtime for systems relying on the affected Linux kernel bridge functionality.

Detection Guidance

This vulnerability occurs when the Linux kernel is booted with the 'ipv6.disable=1' parameter and neigh_suppress is enabled, leading to a kernel NULL pointer dereference upon receiving an ICMPv6 Neighbor Discovery packet on a bridge.

To detect this vulnerability on your system, you can check if the kernel is booted with the 'ipv6.disable=1' parameter and if neigh_suppress is enabled on the bridge.

  • Check kernel boot parameters for IPv6 disablement: grep 'ipv6.disable' /proc/cmdline
  • Check if neigh_suppress is enabled on the bridge interface: sysctl net.bridge.bridge-nf-call-iptables (or relevant bridge neigh_suppress settings)

Additionally, monitor kernel logs for NULL pointer dereference errors related to neigh_lookup or br_do_suppress_nd functions, which may appear as Oops messages in dmesg or /var/log/kern.log.

Mitigation Strategies

The vulnerability is fixed by disabling Neighbor Discovery suppression when IPv6 is disabled.

Immediate mitigation steps include:

  • Avoid booting the system with the 'ipv6.disable=1' kernel parameter if possible.
  • If IPv6 must be disabled, consider disabling neigh_suppress on the bridge to prevent the NULL pointer dereference.
  • Apply the kernel patch or update to a version where the fix replacing IS_ENABLED(IPV6) with ipv6_mod_enabled() has been implemented.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23381. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart