CVE-2026-43441
Received Received - Intake
NULL dereference in Linux Kernel bonding driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43441
EUVD
EUVD-2026-28747
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network bonding driver. When IPv6 is disabled using the 'ipv6.disable=1' boot parameter, a critical data structure called nd_tbl is never initialized. If bonding ARP/NS validation is enabled, receiving an IPv6 Neighbor Solicitation or Neighbor Advertisement packet on a bonded slave interface can trigger a function call path that leads to a NULL pointer dereference and kernel crash.

Specifically, the issue arises because the function bond_validate_na() calls bond_has_this_ip6(), which calls ipv6_chk_addr(), eventually crashing in __ipv6_chk_addr_and_flags() due to the uninitialized nd_tbl. The fix involves checking if IPv6 is enabled before processing IPv6 packets in the bonding driver and returning early if IPv6 is disabled to avoid the crash.


How can this vulnerability impact me? :

This vulnerability can cause a kernel NULL pointer dereference leading to a system crash (kernel panic) when IPv6 is disabled and bonding ARP/NS validation is enabled. This can result in denial of service (DoS) conditions on affected systems, potentially causing unexpected reboots or downtime.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel NULL pointer dereference crash when IPv6 is disabled and bonding ARP/NS validation is enabled. Detection involves monitoring for kernel crash logs or oops messages indicating a NULL pointer dereference in __ipv6_chk_addr_and_flags or related bonding functions.

You can check your kernel logs for crash messages similar to the following pattern: "BUG: kernel NULL pointer dereference" or "Oops: 0000 [#1] SMP NOPTI" with call traces involving bond_validate_na, bond_rcv_validate, or __ipv6_chk_addr_and_flags.

To detect if your system is vulnerable, verify if the kernel is running with the 'ipv6.disable=1' boot parameter and if bonding ARP/NS validation is enabled.

  • Check kernel boot parameters: `cat /proc/cmdline | grep ipv6.disable`
  • Check if bonding is enabled and ARP/NS validation is active by inspecting bonding interface settings, e.g., `cat /proc/net/bonding/bond0`
  • Monitor kernel logs for crashes: `dmesg | grep -i 'NULL pointer dereference'` or `journalctl -k | grep -i 'bond_validate_na'`

What immediate steps should I take to mitigate this vulnerability?

This vulnerability occurs when the Linux kernel is booted with the 'ipv6.disable=1' parameter and bonding ARP/NS validation is enabled, which can cause a kernel NULL pointer dereference crash.

To mitigate this vulnerability immediately, avoid booting the system with the 'ipv6.disable=1' parameter if bonding ARP/NS validation is required.

Alternatively, update the Linux kernel to a version where this issue is fixed by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(), which prevents the crash.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart