Description
In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
this error pointer to dev_hold() will cause a kernel crash with
null-ptr-deref.

Instead, silently discard the request. RFC 8335 does not appear to
define a specific response for the case where an IPv6 interface
identifier is syntactically valid but the implementation cannot perform
the lookup at runtime, and silently dropping the request may safer than
misreporting "No Such Interface".
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null-pointer dereference occurs in the Linux kernel’s icmp_build_probe() routine. When the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), the function ipv6_stub->ipv6_dev_find() may return an error pointer. Passing this error pointer to dev_hold() triggers a null-pointer dereference, causing the kernel to crash. The crash can be induced by a specially crafted ICMP probe, leading to a denial of service that affects all users on the compromised system. The weakness is a classic null-pointer dereference (CWE‑476).

Affected Systems

All Linux kernel releases that include the vulnerable icmp_build_probe() implementation are affected, with no specific version list available. The flaw applies to both IPv4 and IPv6 processing paths and becomes relevant when IPv6 support is compiled as a module or disabled. Any kernel running before the announced patch is at risk.

Risk and Exploitability

The flaw can be exploited remotely by sending crafted ICMP packets from an address that can reach the target. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires network connectivity and the ability to craft ICMP traffic; it leads to a kernel crash without directly providing privilege escalation. The overall risk is moderate to high for systems exposed to untrusted networks, particularly those that allow unrestricted ICMP traffic.

Generated by OpenCVE AI on May 6, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the icmp_build_probe null‑pointer dereference fix
  • If a kernel upgrade cannot be performed immediately, ensure that IPv6 support is either compiled into the kernel or that the ipv6 module is loaded so that ipv6_dev_find() does not return an error pointer
  • As a temporary measure, block or filter unsolicited ICMP packets that could trigger the crash, for example by using firewall rules to drop suspicious ICMP echo requests

Generated by OpenCVE AI on May 6, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".
Title ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:29.567Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43099

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:23.400

Modified: 2026-05-06T10:16:23.400

Link: CVE-2026-43099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses