Description
In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
this error pointer to dev_hold() will cause a kernel crash with
null-ptr-deref.

Instead, silently discard the request. RFC 8335 does not appear to
define a specific response for the case where an IPv6 interface
identifier is syntactically valid but the implementation cannot perform
the lookup at runtime, and silently dropping the request may safer than
misreporting "No Such Interface".
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null-pointer dereference in the Linux kernel’s icmp_build_probe() routine can cause a system-wide kernel crash. When the IPv6 stack is not active, the function ipv6_dev_find() may return an error pointer; passing that pointer to dev_hold() triggers the crash. The flaw corresponds to CWE‑253 (Improper Check of Explicit Null Reference) and CWE‑476 (NULL pointer dereference). It results in a denial of service without granting privilege escalation.

Affected Systems

All Linux kernel releases that include the vulnerable icmp_build_probe() implementation are affected, as no specific version list is available. The issue applies when IPv6 support is compiled as a module or disabled, impacting both IPv4 and IPv6 ICMP processing paths.

Risk and Exploitability

The likely attack vector is through network-based ICMP packets, as the description implies but does not explicitly state the vector. An attacker with network connectivity can craft an ICMP probe that triggers the crash. The EPSS score is < 1%, and the vulnerability is not listed in CISA KEV, yet the CVSS score of 7.5 indicates high severity. Exploitation causes a kernel crash and thus a denial of service but does not allow direct privilege escalation. The overall risk is moderate to high for systems exposed to untrusted networks that permit unsolicited ICMP traffic.

Generated by OpenCVE AI on May 11, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the icmp_build_probe null‑pointer dereference fix
  • If a kernel upgrade cannot be performed immediately, ensure that IPv6 support is either compiled into the kernel or that the ipv6 module is loaded so that ipv6_dev_find() does not return an error pointer
  • As a temporary measure, block or filter unsolicited ICMP packets that could trigger the crash, for example by using firewall rules to drop suspicious ICMP echo requests

Generated by OpenCVE AI on May 11, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Fri, 08 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-253
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".
Title ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:42.709Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43099

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:23.400

Modified: 2026-05-11T17:36:29.717

Link: CVE-2026-43099

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43099 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses