Skip to main content

Linux CVE-2026-23381

| EUVDEUVD-2026-15374 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux GHSA-vm87-vmvc-9c38
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15374
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:28 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference.

BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60

Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.

AnalysisAI

A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.

Technical ContextAI

The vulnerability resides in the Linux kernel's bridge module (net/bridge) and involves the IPv6 Neighbor Discovery (ND) subsystem. When IPv6 is disabled at boot time using 'ipv6.disable=1', the inet6_init() function exits early before ndisc_init() is called, leaving the ipv6_stub->nd_tbl pointer uninitialized (NULL). The br_do_suppress_nd() function in the bridge driver attempts to suppress Neighbor Discovery and Neighbor Advertisement packets by calling neigh_lookup() with this NULL pointer, violating memory safety assumptions. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* (all Linux versions). While no specific CWE is provided in the intelligence data, this falls under CWE-476 (NULL Pointer Dereference) due to missing initialization checks and unsafe pointer dereference when subsystem initialization is skipped.

RemediationAI

Upgrade the Linux kernel to a version containing one of the provided fix commits. For most systems, this involves updating to the latest stable kernel for your distribution (e.g., via 'apt upgrade linux-image' on Debian/Ubuntu, 'yum update kernel' on RHEL/CentOS, or direct kernel compilation from kernel.org). The fix replaces IS_ENABLED(IPV6) compile-time checks with ipv6_mod_enabled() runtime checks in br_do_suppress_nd(), disabling ND/NA suppression when IPv6 is runtime-disabled. Until patching is completed, implement workarounds by either (1) removing the 'ipv6.disable=1' boot parameter if IPv6 can be tolerated, (2) disabling bridge ND suppression via 'bridge nf_call_ip6tables=0' sysctl if ND suppression is not required, or (3) restricting ICMPv6 traffic to the bridge via firewall rules. Reference the upstream fixes at https://git.kernel.org/stable/ using the commit hashes provided above.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy