Description
In the Linux kernel, the following vulnerability has been resolved:

net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled

When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. Then, if neigh_suppress is enabled and an ICMPv6
Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will
dereference ipv6_stub->nd_tbl which is NULL, passing it to
neigh_lookup(). This causes a kernel NULL pointer dereference.

BUG: kernel NULL pointer dereference, address: 0000000000000268
Oops: 0000 [#1] PREEMPT SMP NOPTI
[...]
RIP: 0010:neigh_lookup+0x16/0xe0
[...]
Call Trace:
<IRQ>
? neigh_lookup+0x16/0xe0
br_do_suppress_nd+0x160/0x290 [bridge]
br_handle_frame_finish+0x500/0x620 [bridge]
br_handle_frame+0x353/0x440 [bridge]
__netif_receive_skb_core.constprop.0+0x298/0x1110
__netif_receive_skb_one_core+0x3d/0xa0
process_backlog+0xa0/0x140
__napi_poll+0x2c/0x170
net_rx_action+0x2c4/0x3a0
handle_softirqs+0xd0/0x270
do_softirq+0x3f/0x60

Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in
the callers. This is in essence disabling NS/NA suppression when IPv6 is
disabled.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Crash (Denial of Service)
Action: Patch
AI Analysis

Impact

The vulnerability occurs in the Linux kernel's bridge networking code. When IPv6 is disabled via the kernel boot parameter, the nd_tbl structure is never initialized. If Neighbor Discovery suppression is enabled and an ICMPv6 Neighbor Discovery packet is processed by a bridged interface, the code dereferences a NULL nd_tbl pointer, triggering a kernel NULL pointer dereference and an Oops crash. This results in a denial of service by crashing the kernel and requiring a reboot, exemplifying a CWE‑824 weakness.

Affected Systems

All Linux kernel installations that include the bridge networking subsystem are potentially affected when IPv6 is disabled and Neighbor Discovery suppression is enabled. No specific versions are listed, so any kernel version compiling the upstream bridge code at the time of this vulnerability could be impacted until the fix is applied. Distributions that ship kernel packages must ensure that the updated kernel is deployed to users running a bridged network configuration with IPv6 disabled.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not currently catalogued in CISA’s KEV list. Exploitation requires that the bridged system receives an ICMPv6 Neighbor Discovery packet, which could be triggered by legitimate network traffic when IPv6 is partially enabled or by a crafted packet if the system processes such traffic. Because the flaw results in a kernel crash rather than privilege escalation, the focus is on preventing service interruption. The official fix replaces the compile-time check with a runtime check, effectively disabling Neighbor Suppression when IPv6 is disabled.

Generated by OpenCVE AI on March 26, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that includes the fix for CVE-2026-23381.
  • Verify that your bridge configuration does not enable neighbor suppression when IPv6 is disabled.
  • If an immediate kernel upgrade is not possible, disable IPv6-related bridge functionality or revert to a non‑vulnerable kernel version until the patch is available.
  • Continuously monitor system logs for Oops messages related to br_do_suppress_nd and apply subsequent security patches promptly.

Generated by OpenCVE AI on March 26, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.
Title net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:22.834Z

Reserved: 2026-01-13T15:37:46.007Z

Link: CVE-2026-23381

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:38.160

Modified: 2026-04-18T09:16:22.620

Link: CVE-2026-23381

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23381 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:48:59Z

Weaknesses