Skip to main content

Linux CVE-2026-23293

| EUVDEUVD-2026-15224 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux GHSA-4mrh-9qq5-26w5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15224
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup().

BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: <TASK> vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.

AnalysisAI

A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.

Technical ContextAI

The vulnerability exists in the VXLAN (Virtual eXtensible Local Area Network) driver (cpe:2.3:a:linux:linux) where IPv6 support interacts with the neighbor discovery mechanism. When the kernel is booted with 'ipv6.disable=1', the inet6_init() function exits early before calling ndisc_init(), which is responsible for initializing the nd_tbl (neighbor discovery table) structure. The VXLAN driver's route_shortcircuit() function lacks validation to check whether IPv6 is actually enabled before dereferencing nd_tbl, leading to a NULL pointer dereference at offset 0x380 within the neigh_lookup() function. This is fundamentally a missing input validation and state-check issue (CWE-476: NULL Pointer Dereference), compounded by insufficient guards around optional kernel subsystem initialization.

RemediationAI

Update the Linux kernel to a version containing the fix (commit hashes: b5190fcd75a1f1785c766a8d1e44d3938e168f45 or equivalent in your distribution's stable branch). Most major distributions have already released patched kernels; check your vendor's security advisories via https://git.kernel.org/stable/. For those unable to patch immediately, the workaround is to either enable IPv6 (remove 'ipv6.disable=1' from kernel boot parameters) or disable VXLAN if not required. Disabling VXLAN can be accomplished by preventing the vxlan kernel module from loading via blacklisting in modprobe.d, or by removing vxlan-dependent network configurations. The fix itself is a simple early-return check in route_shortcircuit() that validates IPv6 is enabled before accessing nd_tbl, making patching low-risk.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy