CVE-2026-43099
Null-Pointer Dereference in Linux Kernel ICMP Probe
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's handling of certain IPv6 operations. Specifically, when the IPv6 stack is not active (for example, when CONFIG_IPV6 is set to 'm' and the module is not loaded), a function called ipv6_dev_find() may return an error pointer ERR_PTR(-EAFNOSUPPORT). If this error pointer is then passed to another function dev_hold(), it causes a kernel crash due to a null pointer dereference.
The fix involves silently discarding the request instead of passing the error pointer, as the relevant RFC (RFC 8335) does not define a specific response for this scenario. This approach avoids misreporting errors and prevents the kernel crash.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a null pointer dereference when handling certain IPv6 interface lookups while the IPv6 stack is inactive. Such a crash can lead to system instability, denial of service, or unexpected reboots, potentially disrupting services running on affected systems.