Skip to main content

Linux CVE-2026-23304

| EUVDEUVD-2026-15242 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux GHSA-3qgv-qj84-5mmh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 28, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15242
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()

l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address").

KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437)

I was tempted to rework the un-slaving code to clear the flag first and insert synchronize_rcu() before we remove the upper. But looks like the explicit fallback to loopback_dev is an established pattern. And I guess avoiding the synchronize_rcu() is nice, too.

AnalysisAI

A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.

Technical ContextAI

The vulnerability resides in the IPv6 routing subsystem (net/ipv6/route.c) where the ip6_rt_pcpu_alloc() function calls ip6_rt_get_dev_rcu() to retrieve a network device for route allocation. The underlying issue is a missing NULL pointer check following a call to l3mdev_master_dev_rcu(), which is designed to retrieve the master VRF device but legitimately returns NULL during the un-slaving process when a device is being removed from a VRF context. The root cause classifies as CWE-476 (NULL Pointer Dereference), occurring when the code assumes a non-NULL return value without validation. The affected product is the Linux kernel across multiple versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically in the IPv6 route handling pathway invoked during VRF device operations. The commit 4832c30d5458 introduced this regression by reorganizing device handling logic without maintaining the established fallback pattern to the loopback device that existed in prior code.

RemediationAI

Apply the latest stable kernel update for your respective kernel branch, which includes the NULL pointer dereference fix in ip6_rt_get_dev_rcu(). The specific patches are available in the Linux kernel stable repository via the six git commits listed in the vulnerability references. Users should upgrade to kernel versions that include one of the following fixes: commit 4a48fe59f29f673a3d042d679f26629a9c3e29d4 or its equivalents in other stable branches. Until patching is completed, avoid performing un-slaving operations on VRF slave devices in production environments, or perform such operations during maintenance windows after backup procedures. For environments where kernel upgrades cannot be immediately performed, restrict VRF configuration changes to scheduled maintenance periods and implement monitoring on the affected systems to detect kernel panics caused by NULL pointer dereferences in the IPv6 routing code. Consult your Linux distribution's security advisory for the specific kernel package versions that include this fix.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy