Impact
The bug in the Linux kernel's nexthop handling results from failing to update the has_v4 flag when an IPv6 nexthop is replaced with an IPv4 nexthop. This oversight allows a stale has_v4 value to bypass a critical route validation check and attach IPv6 routes to groups containing only IPv4 members. When the system subsequently performs a route lookup, the nexthop_fib6_nh function dereferences a NULL pointer that should have been caught, leading to a kernel panic. The crash is a denial–of–service that into an unusable state.
Affected Systems
The vulnerability is present in the Linux kernel across all versions that contain the buggy nexthop implementation before the patch. No specific version range is provided, so any kernel that has not yet applied the fix commit (29c95185…) is potentially exposed. in the latest kernel releases released after the patch; administrators should verify that the running kernel includes the commit that updates the nh_group_v4_update logic for all address families.
Risk and Exploitability
Because the flaw requires manipulation of the routing table – an operation normally performed by privileged users – the attack vector is local or escalation to root-level access. No remote exploit is known, and the EPSS score is less than 1%. Because the kernel crash would stop all services on the compromised system, the CVSS score of 5.5 indicates moderate severity. The vulnerability is not currently listed in CISA’s KEV catalog, but the critical impact of a kernel panic makes it a priority for patching.
OpenCVE Enrichment
Debian DLA