CVE-2026-23439
Received Received - Intake
NULL Pointer Dereference in Linux Kernel udp_tunnel with IPv6 Disabled

Publication date: 2026-04-03

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23439
EUVD
EUVD-2026-18680
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.18
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 3.18.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's udp_tunnel component when IPv6 support (CONFIG_IPV6) is disabled. The function udp_sock_create6() incorrectly returns success (0) without actually creating a socket. As a result, functions that rely on this socket, such as fou_create(), attempt to use an uninitialized socket pointer, leading to a NULL pointer dereference and a kernel crash.

The issue is fixed by changing udp_sock_create6() to return an error code (-EPFNOSUPPORT) when IPv6 is disabled, allowing callers to handle the error properly instead of dereferencing a NULL pointer.


How can this vulnerability impact me? :

This vulnerability can cause a kernel NULL pointer dereference crash, which may lead to a denial of service (DoS) condition by crashing the Linux kernel. However, only privileged users can trigger this vulnerability, limiting the risk to unauthorized users.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a NULL pointer dereference in the Linux kernel when CONFIG_IPV6 is disabled and a privileged user triggers the udp_sock_create6 function. Detection would involve monitoring for kernel crash logs containing messages like "BUG: kernel NULL pointer dereference" and traces referencing fou_nl_add_doit or udp_sock_create6.

Since the issue is triggered by privileged users invoking certain socket creation calls, checking kernel logs (e.g., using dmesg or journalctl) for related NULL pointer dereference crashes can help detect exploitation attempts.

No specific commands are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a patch that changes udp_sock_create6 to return an error (-EPFNOSUPPORT) instead of success when CONFIG_IPV6 is disabled, preventing NULL pointer dereference.

Immediate mitigation steps include applying the relevant Linux kernel patch or updating to a kernel version that includes this fix.

Additionally, restricting privileged user access to systems where this vulnerability could be triggered can reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart