Skip to main content

Linux Kernel CVE-2026-43101

| EUVDEUVD-2026-27612 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-r529-g827-7gf5
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:26 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()

We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian.

Also add skb_dst_dev_rcu() instead of skb_dst_dev(), and two missing READ_ONCE().

Note that @dev can't be NULL.

AnalysisAI

NULL pointer dereferences in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) trace data handling cause denial of service when network packets trigger the vulnerable code path. Affects Linux kernel 5.15 through 6.19.14 and mainline branches. Despite CVSS 7.5 High severity with network vector and no authentication, EPSS exploitation probability is very low (0.02%, 4th percentile), and no active exploitation or public POC is identified at time of analysis. Vendor patches available via stable kernel commits.

Technical ContextAI

The vulnerability exists in the Linux kernel's IPv6 IOAM implementation, specifically in the __ioam6_fill_trace_data() function within net/ipv6/ioam6.c. IOAM is an IPv6 extension header mechanism for collecting operational telemetry as packets traverse network nodes. The code failed to validate the return value of __in6_dev_get() before dereferencing, creating NULL pointer dereference conditions. Additional issues include missing READ_ONCE() primitives for race-safe reads and use of skb_dst_dev() instead of the RCU-safe skb_dst_dev_rcu() variant. The affected CPE strings (cpe:2.3:a:linux:linux) indicate broad impact across Linux kernel versions. This is a memory safety issue typical of kernel network stack code where concurrent access patterns and pointer validity checks are critical.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.24, 6.19.14, or later stable releases, or apply mainline commits 3719c234fa94c37c955b1ecd3742ef280ec135e6, 4198aab6f000b4febb18ea820fea20634dd789c7, or 4e65a8b8daa18d63255ec58964dd192c7fdd9f8b available at https://git.kernel.org/stable/c/. For systems where immediate patching is not feasible, disable IPv6 IOAM functionality by ensuring CONFIG_IPV6_IOAM6_LWTUNNEL is not set during kernel compilation, or at runtime disable IOAM processing via sysctl if supported (impact: loss of IPv6 telemetry collection capabilities). If IPv6 is not required, disable IPv6 protocol stack entirely via sysctl net.ipv6.conf.all.disable_ipv6=1 (impact: breaks IPv6 connectivity). Network-level mitigation is impractical as filtering IOAM headers would require deep packet inspection at every ingress point. Compensating controls provide limited value-prioritize patching for production systems with IPv6 IOAM enabled.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy