Skip to main content

Linux Kernel EUVDEUVD-2026-28747

| CVE-2026-43441 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-pfqp-2whq-57g2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:35 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags().

BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK>

Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr().

AnalysisAI

Null pointer dereference in Linux kernel bonding driver crashes systems running with IPv6 disabled (ipv6.disable=1) when IPv6 Neighbor Solicitation packets arrive on bonded interfaces with ARP/NS validation enabled. Affects Linux kernel versions 5.18+ up to 6.19.9/7.0, with vendor patches available across stable branches (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation or public POC has been identified, but the high CVSS 7.5 reflects trivial remote triggering (AV:N/AC:L/PR:N) for denial-of-service in affected configurations.

Technical ContextAI

The vulnerability exists in the Linux kernel bonding driver's IPv6 Neighbor Advertisement (NA) validation path. When the kernel boots with 'ipv6.disable=1', the inet6_init() function exits early, preventing ndisc_init() from initializing the global nd_tbl (Neighbor Discovery table). If network bonding is configured with ARP/NS validation enabled and an IPv6 NS/NA packet arrives on a slave interface, the packet flows through bond_handle_frame() → bond_rcv_validate() → bond_validate_na() → bond_has_this_ip6() → ipv6_chk_addr() → __ipv6_chk_addr_and_flags(). The final function dereferences nd_tbl at offset 0x5d8 without checking if IPv6 subsystem initialization completed, causing a kernel NULL pointer dereference (Oops). The affected code path was introduced in commit 4e24be018eb9 and spans kernel versions 5.18 through pre-patch 6.x/7.0 branches. The fix adds an ipv6_mod_enabled() check in bond_rcv_validate() to return early when IPv6 is disabled, preventing the vulnerable code path from executing.

RemediationAI

Upgrade to patched kernel versions: 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0+ depending on your active stable branch. Patch commits available at https://git.kernel.org/stable/c/30021e969d48e5819d5ae56936c2f34c0f7ce997 (mainline) and branch-specific commits listed in references. If immediate patching is not feasible, implement one of these compensating controls: (1) Remove ipv6.disable=1 boot parameter to allow full IPv6 subsystem initialization (trade-off: enables IPv6 stack if organizationally prohibited), (2) Disable bonding ARP/NS validation via 'echo 0 > /sys/class/net/bond0/bonding/arp_validate' (trade-off: reduces slave interface failure detection accuracy), or (3) Filter inbound IPv6 traffic at network perimeter before bonded interfaces using ip6tables/nftables rules (trade-off: adds processing overhead and breaks legitimate IPv6 traffic if later re-enabling IPv6). Option 2 provides immediate mitigation with minimal operational impact for environments requiring IPv6 to remain disabled.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy