Impact
The vulnerability occurs in the IPv6 address configuration code of the Linux kernel. When addrconf_get_prefix_route() returns the sentinel fib6_null_entry, cleanup_prefix_route() attempts to set its expiration time without checking whether the underlying fib6_table pointer is NULL. This unchecked dereference triggers a null pointer dereference, causing a general protection fault and an immediate kernel crash. The resulting denial of service can bring the entire system offline, affecting all services running on the host.
Affected Systems
All Linux kernel versions that include the IPv6 address configuration implementation before the patch commit 07d9a0870a178843cea44cfd58c27445dc94cf5f are affected. The CPE identifier shows the vulnerability applies to the general Linux kernel, meaning any distribution (Ubuntu, CentOS, Debian, etc.) running an unpatched kernel that handles IPv6 routing or can trigger addrconf_get_prefix_route() will be vulnerable. The patch has already been incorporated into the mainline kernel starting with that commit, so newer releases after that point are safe.
Risk and Exploitability
The CVSS score of 5.5 classifies the weakness as moderate in severity, and the EPSS score of less than 1% indicates a very low probability of exploitation observed in real-world data. The vulnerability is not listed in the CISA KEV catalog, so there is no known exploitation campaign targeting it. Based on the description, the likelihood of exploitation relies on triggering a code path that processes IPv6 routes; this can be done by sending crafted IPv6 packets or by local processes that configure or delete IPv6 addresses. Because the fault results in a kernel crash rather than arbitrary code execution, it does not provide a direct path to compromise the system, but it poses a significant availability risk, particularly for servers that require high uptime or that actively use IPv6.
OpenCVE Enrichment