Skip to main content

Linux EUVDEUVD-2026-15235

| CVE-2026-23300 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux GHSA-77gg-4hmh-hwxc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 28, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15235
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop

When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics.

Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows:

  1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"):

RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change.

  1. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"):

RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless.

  1. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"):

RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.

AnalysisAI

A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.

Technical ContextAI

The vulnerability resides in the Linux kernel's IPv6 routing subsystem, specifically in the fib6_nh_init() function responsible for initializing nexthop objects. The root cause is a logic error in fib6_is_reject() which incorrectly classifies standalone IPv6 nexthop objects bound to loopback interfaces as reject routes due to their lack of a destination prefix (fc_dst=::). The reject path bypasses fib_nh_common_init(), which normally allocates the nhc_pcpu_rth_output per-CPU routing cache. When an IPv4 route later references this nexthop through the cross-protocol routing mechanism, the __mkroute_output() function attempts to dereference the unallocated nhc_pcpu_rth_output pointer, causing a NULL pointer dereference kernel panic. The affected product is the Linux kernel (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) across all versions supporting IPv6 nexthop objects, which became available in kernel 5.9+. The CWE classification falls under CWE-476 (NULL Pointer Dereference) and CWE-690 (Unchecked Return Value to NULL Pointer).

RemediationAI

Update the Linux kernel to the latest stable version in your series (6.9+ or the latest LTS release 6.6.x, 5.15.x, etc.) that includes the fix commits referenced in git.kernel.org/stable/. For distributions, apply security updates immediately via your package manager (apt upgrade, yum update, zypper patch, or equivalent). Until patching is possible, restrict network namespace creation and the use of iproute2 commands (ip nexthop add, ip route add) to trusted administrators only, and disable IPv6 routing where not required in production environments. Consider using kernel module loading restrictions and seccomp policies to prevent unprivileged processes from accessing netlink sockets used for route manipulation. For cloud environments, apply hypervisor-level kernel updates or migrate workloads to patched instances. Container image maintainers should rebuild images with patched kernel packages to ensure all derived deployments receive the fix.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy