Skip to main content

Linux Kernel EUVDEUVD-2026-27608

| CVE-2026-43099 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:26 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref.

Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".

AnalysisAI

Null pointer dereference in Linux kernel ICMP probe handling crashes systems when IPv6 module is configured but not loaded. The icmp_build_probe() function fails to validate ERR_PTR(-EAFNOSUPPORT) from ipv6_stub->ipv6_dev_find(), passing the error pointer directly to dev_hold() and triggering immediate kernel panic. EPSS probability is low (0.02%, 5th percentile) and no active exploitation confirmed, but CVSS 7.5 High severity reflects trivial remote unauthenticated denial-of-service against vulnerable kernel configurations. Patches available across stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0) with upstream commit identifiers confirmed.

Technical ContextAI

This vulnerability affects the Linux kernel's IPv4 ICMP implementation, specifically the RFC 8335 Extended ICMP probe message handler introduced in commit d329ea5bd8845f0b. The bug occurs in the kernel's modular IPv6 stack design: when CONFIG_IPV6=m (module) but the IPv6 module is not loaded, ipv6_stub->ipv6_dev_find() returns ERR_PTR(-EAFNOSUPPORT) rather than NULL to indicate IPv6 unavailability. The icmp_build_probe() function lacks IS_ERR() validation before passing this return value to dev_hold(), which dereferences the pointer expecting a valid net_device structure. Since ERR_PTR encodes error codes as kernel addresses (typically 0xFFFFFFFFFFFFxxxx on 64-bit), the dereference accesses invalid memory, triggering null-ptr-deref detection and immediate kernel panic. The vulnerability represents a classic error-handling mismatch between kernel subsystems using PTR_ERR conventions without proper validation at API boundaries. The fix silently discards malformed probe requests rather than attempting IPv6 interface resolution when the stack is unavailable, aligning with kernel robustness principles since RFC 8335 does not mandate specific error responses for implementation-specific lookup failures.

RemediationAI

Update to patched kernel versions immediately: 6.6.136+ for LTS 6.6.x series, 6.12.83+ for 6.12.x series, 6.18.24+ for 6.18.x series, 6.19.14+ for 6.19.x series, or 7.0+ for mainline. Downstream distribution kernels (RHEL, Ubuntu, SUSE, Debian) will incorporate fixes in upcoming security updates - monitor vendor security advisories and apply via standard package management. Reference upstream commits at https://git.kernel.org/stable/c/5b9911582d441f72fe6ccb15ffe3303bbc07f6f5 and related branch-specific commits. For systems requiring temporary mitigation before patching, load the IPv6 kernel module (modprobe ipv6) to prevent ERR_PTR return condition - this workaround changes system behavior by enabling IPv6 stack, may conflict with security policies requiring IPv6 disabled, and should only be temporary until patching. Alternatively, block incoming ICMP Extended probe messages (Type 42) at network perimeter firewalls using iptables rule 'iptables -A INPUT -p icmp --icmp-type 42 -j DROP' - this prevents legitimate RFC 8335 diagnostics, breaks ICMP-based network troubleshooting features, and requires firewall rule deployment across infrastructure. No application-layer mitigations exist as vulnerability resides in kernel network stack. Reboot required after kernel update to activate patched code.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy