Description
In the Linux kernel, the following vulnerability has been resolved:

net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. If an IPv6 packet is injected into the interface,
route_shortcircuit() is called and a NULL pointer dereference happens on
neigh_lookup().

BUG: kernel NULL pointer dereference, address: 0000000000000380
Oops: Oops: 0000 [#1] SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x20/0x270
[...]
Call Trace:
<TASK>
vxlan_xmit+0x638/0x1ef0 [vxlan]
dev_hard_start_xmit+0x9e/0x2e0
__dev_queue_xmit+0xbee/0x14e0
packet_sendmsg+0x116f/0x1930
__sys_sendto+0x1f5/0x200
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x12f/0x1590
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fix this by adding an early check on route_shortcircuit() when protocol
is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because
VXLAN can be built-in even when IPv6 is built as a module.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Kernel Crash)
Action: Patch
AI Analysis

Impact

The flaw occurs in the Linux networking stack, specifically within the VXLAN module. When the kernel is booted with IPv6 disabled, the neighbor discovery table required for IPv6 operations is never initialized. If an IPv6 packet is injected into a VXLAN interface, the code later inserts a NULL pointer dereference, leading to a kernel crash and a system halt. This type of failure results in an immediate loss of service for the affected node but does not provide an attacker with direct code execution or data exfiltration capabilities.

Affected Systems

All Linux kernel builds that include the VXLAN driver and lack the patch introduced in commit 168ff39e, which add the early NULL check, are vulnerable. The vulnerability would affect any distribution using the upstream kernel before the fix was merged. The affected vendor is Linux, the product is the Linux kernel; no specific patch level information is provided, so any kernel upstream version that predates the change is potentially at risk.

Risk and Exploitability

The CVSS score of 5.5 reflects a medium severity, primarily due to the denial‑of‑service nature of the crash. EPSS indicates an estimated probability of exploitation below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known exploitation in the wild. An attacker would need the ability to inject crafted IPv6 packets to a VXLAN interface, which could be achieved through a local or remote network connection depending on system exposure. While the current scoring and lack of exploitation data imply a modest risk, a kernel crash on a production host can have critical operational impacts.

Generated by OpenCVE AI on March 26, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the early NULL check in route_shortcircuit, as added by the patch commit.
  • Verify the kernel version with "uname -r" and compare against the upstream release notes to ensure the fix is present.
  • If an immediate kernel update is not possible, disable the VXLAN module or remove IPv6 support from the affected interface to prevent the crash scenario.

Generated by OpenCVE AI on March 26, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: <TASK> vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
Title net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:43.516Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23293

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:24.520

Modified: 2026-04-18T09:16:17.247

Link: CVE-2026-23293

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23293 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T13:55:03Z

Weaknesses