{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23293", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:51.160Z", "dateUpdated": "2026-03-25T10:26:51.160Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:51.160Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n <TASK>\n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/vxlan/vxlan_core.c"], "versions": [{"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945", "lessThan": "b5190fcd75a1f1785c766a8d1e44d3938e168f45", "status": "affected", "versionType": "git"}, {"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945", "lessThan": "5f93e6b4d12bd3a4517a6d447ea675f448f21434", "status": "affected", "versionType": "git"}, {"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945", "lessThan": "f0373e9317bc904e7bdb123d3106fe4f3cea2fb7", "status": "affected", "versionType": "git"}, {"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945", "lessThan": "fbbd2118982c55fb9b0a753ae0cf7194e77149fb", "status": "affected", "versionType": "git"}, {"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945", "lessThan": "abcd48ecdeb2e12eccb8339a35534c757782afcd", "status": "affected", "versionType": "git"}, {"version": "e15a00aafa4b7953ad717d3cb1ad7acf4ff76945", "lessThan": "168ff39e4758897d2eee4756977d036d52884c7e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/vxlan/vxlan_core.c"], "versions": [{"version": "3.12", "status": "affected"}, {"version": "0", "lessThan": "3.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45"}, {"url": "https://git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434"}, {"url": "https://git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7"}, {"url": "https://git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fb"}, {"url": "https://git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcd"}, {"url": "https://git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7e"}], "title": "net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n <TASK>\n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module."}], "id": "CVE-2026-23293", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:24.520", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled", "id": "2451191", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451191"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's Virtual Extensible LAN (VXLAN) module. When IPv6 is disabled, a remote attacker can trigger a system crash by injecting a specially crafted IPv6 packet into the network interface. This vulnerability, a null pointer dereference, can lead to a denial of service."], "mitigation": {"lang": "en:us", "value": "Do not use the ipv6.disable=1 boot parameter on systems using VXLAN, or avoid VXLAN when IPv6 is disabled."}, "name": "CVE-2026-23293", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23293\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23293\nhttps://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23293-b422@gregkh/T"], "statement": "This flaw affects systems using VXLAN while IPv6 is explicitly disabled via the ipv6.disable=1 boot parameter. When an IPv6 packet reaches the VXLAN interface under these conditions, the uninitialized nd_tbl causes a NULL pointer dereference. This configuration (VXLAN with IPv6 disabled) is uncommon but could be present in specialized network deployments.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:05:03.555791+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel that contains the early check for route_shortcircuit when the protocol is ETH_P_IPV6, which prevents the NULL pointer dereference.", "If a kernel upgrade is not possible, ensure that no IPv6 traffic can reach the VXLAN interface by keeping the ipv6.disable parameter and/or blocking IPv6 traffic to the interface with firewall rules.", "Consider disabling the VXLAN interface when it is not required to eliminate the fault path."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the VXLAN module and operate with IPv6 disabled by the kernel parameter ipv6.disable=1 are impacted. This covers vanilla kernels where VXLAN can be built in or loaded as a module. No specific version numbers are provided, so every kernel build prior to the commit that added the early route_shortcircuit check is vulnerable.", "description_and_impact": "The Linux kernel VXLAN stack can fault when IPv6 is disabled at boot time. Because the IPv6 initialization routine exits before the neighbor table is initialized, an incoming IPv6 packet sent to a VXLAN interface triggers a NULL pointer dereference inside the neighbor lookup routine. The crash manifests as a kernel Oops and a system reboot. The weakness is a classic NULL pointer dereference, identified as CWE\u2011476.", "risk_and_exploitability": "The CVSS score and EPSS information are not supplied, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires that the attacker can deliver an IPv6 packet to a VXLAN interface on a compromised or reachable system with IPv6 disabled. If such traffic reaches the interface, the kernel will crash, resulting in a denial of service. The attack does not provide privilege escalation capabilities according to the available data."}}}}, "created": "2026-03-25T21:15:37.501989+00:00", "updated": "2026-03-25T21:15:37.502066+00:00", "vendors": [], "weaknesses": ["CWE-476"]}