Description
In the Linux kernel, the following vulnerability has been resolved:

net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If an IPv6 packet is injected into the interface,
route_shortcircuit() is called and a NULL pointer dereference happens on
neigh_lookup().

BUG: kernel NULL pointer dereference, address: 0000000000000380
Oops: Oops: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x20/0x270
[...]
Call Trace:
<TASK>
vxlan_xmit+0x638/0x1ef0 [vxlan]
dev_hard_start_xmit+0x9e/0x2e0
__dev_queue_xmit+0xbee/0x14e0
packet_sendmsg+0x116f/0x1930
__sys_sendto+0x1f5/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x12f/0x1590
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fix this by adding an early check on route_shortcircuit() when protocol
is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because
VXLAN can be built-in even when IPv6 is built as a module.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in the Linux networking stack, specifically within the VXLAN module. When the kernel is booted with IPv6 disabled, the neighbor discovery table required for IPv6 operations is never initialized. If an IPv6 packet is injected into a VXLAN interface, the code later inserts a NULL pointer dereference, leading to a kernel crash and a system halt. This type of failure results in an immediate loss of service for the affected node but does not provide an attacker with direct code execution or data exfiltration capabilities.

Affected Systems

All Linux kernel builds that include the VXLAN driver and lack the fix introduced in the referenced kernel commit are vulnerable. The affected vendor is Linux, the product is the Linux kernel; any upstream kernel version preceding the change could be at risk.

Risk and Exploitability

The CVSS score of 5.5 reflects a medium severity, primarily due to the denial‑of‑service nature of the crash. EPSS indicates an estimated probability of exploitation below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known exploitation in the wild. An attacker would need the ability to inject crafted IPv6 packets to a VXLAN interface, which could occur via a local or remote network connection depending on system exposure. While the current scoring and lack of exploitation data imply a modest risk, a kernel crash on a production host can have critical operational impacts.

Generated by OpenCVE AI on May 29, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the early NULL check in route_shortcircuit, as added by the kernel patch commit.
  • Restrict or block IPv6 traffic on VXLAN interfaces using firewall rules or network policy to prevent the crash scenario.
  • If an immediate kernel update is not possible, disable the VXLAN module or remove IPv6 support from the affected interface to eliminate the vulnerability.

Generated by OpenCVE AI on May 29, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 29 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: <TASK> vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
Title net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:04:04.903Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23293

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:24.520

Modified: 2026-05-29T15:04:45.067

Link: CVE-2026-23293

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23293 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:15:04Z

Weaknesses