CVE-2026-43099
Analyzed Analyzed - Analysis Complete

Null-Pointer Dereference in Linux Kernel ICMP Probe

Vulnerability report for CVE-2026-43099, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-07-06
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 5.13 (inc) to 6.6.136 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved by fixing the null pointer dereference in the Linux kernel's ICMP code. Immediate mitigation involves updating the Linux kernel to a version where this fix is applied.

Since the issue occurs when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), ensuring that the IPv6 stack is either properly enabled or the kernel is updated to handle this case safely can prevent the kernel crash.

Executive Summary

This vulnerability exists in the Linux kernel's handling of certain IPv6 operations. Specifically, when the IPv6 stack is not active (for example, when CONFIG_IPV6 is set to 'm' and the module is not loaded), a function called ipv6_dev_find() may return an error pointer ERR_PTR(-EAFNOSUPPORT). If this error pointer is then passed to another function dev_hold(), it causes a kernel crash due to a null pointer dereference.

The fix involves silently discarding the request instead of passing the error pointer, as the relevant RFC (RFC 8335) does not define a specific response for this scenario. This approach avoids misreporting errors and prevents the kernel crash.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a null pointer dereference when handling certain IPv6 interface lookups while the IPv6 stack is inactive. Such a crash can lead to system instability, denial of service, or unexpected reboots, potentially disrupting services running on affected systems.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart