{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23381", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.007Z", "datePublished": "2026-03-25T10:28:00.416Z", "dateUpdated": "2026-03-25T10:28:00.416Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:28:00.416Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub->nd_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Call Trace:\n <IRQ>\n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_device.c", "net/bridge/br_input.c"], "versions": [{"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "7a894eb5de246d79f13105c55a67381039a24d44", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "a12cdaa3375f0bd3c8f4e564be7c143529abfe5b", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "aa73deb3b6b730ec280d45b3f423bfa9e17bc122", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "33dec6f10777d5a8f71c0a200f690da5ae3c2e55", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "20ef5c25422f97dd09d751e5ae6c18406cdc78e6", "status": "affected", "versionType": "git"}, {"version": "ed842faeb2bd49256f00485402f3113205f91d30", "lessThan": "e5e890630533bdc15b26a34bb8e7ef539bdf1322", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bridge/br_device.c", "net/bridge/br_input.c"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7a894eb5de246d79f13105c55a67381039a24d44"}, {"url": "https://git.kernel.org/stable/c/a12cdaa3375f0bd3c8f4e564be7c143529abfe5b"}, {"url": "https://git.kernel.org/stable/c/aa73deb3b6b730ec280d45b3f423bfa9e17bc122"}, {"url": "https://git.kernel.org/stable/c/33dec6f10777d5a8f71c0a200f690da5ae3c2e55"}, {"url": "https://git.kernel.org/stable/c/20ef5c25422f97dd09d751e5ae6c18406cdc78e6"}, {"url": "https://git.kernel.org/stable/c/e5e890630533bdc15b26a34bb8e7ef539bdf1322"}], "title": "net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub->nd_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Call Trace:\n <IRQ>\n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled."}], "id": "CVE-2026-23381", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:38.160", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/20ef5c25422f97dd09d751e5ae6c18406cdc78e6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/33dec6f10777d5a8f71c0a200f690da5ae3c2e55"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a894eb5de246d79f13105c55a67381039a24d44"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a12cdaa3375f0bd3c8f4e564be7c143529abfe5b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa73deb3b6b730ec280d45b3f423bfa9e17bc122"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e5e890630533bdc15b26a34bb8e7ef539bdf1322"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled", "id": "2451220", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451220"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's network bridging component. When Internet Protocol version 6 (IPv6) is explicitly disabled, a critical data structure for Neighbor Discovery is not properly initialized. A remote attacker could exploit this by sending a specially crafted Internet Control Message Protocol version 6 (ICMPv6) Neighbor Discovery packet. This could lead to a kernel NULL pointer dereference, causing the system to crash and resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Do not use the ipv6.disable=1 boot parameter on systems using network bridging with neighbor suppression, or disable neigh_suppress on bridges when IPv6 is disabled."}, "name": "CVE-2026-23381", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23381\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23381\nhttps://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23381-378d@gregkh/T"], "statement": "This flaw affects bridge configurations with neigh_suppress enabled while IPv6 is disabled via ipv6.disable=1. When ICMPv6 ND packets reach the bridge, br_do_suppress_nd() dereferences the uninitialized nd_tbl, causing a NULL pointer crash. Similar to CVE-2026-23293 but affects bridge instead of VXLAN.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:20:34.454886+00:00", "value": {"mitigation_remediation": ["Apply an updated Linux kernel that contains the patch replacing IS_ENABLED(IPV6) with ipv6_mod_enabled().", "If a kernel update cannot be performed immediately, confirm that IPv6 is fully disabled in the boot configuration and consider disabling neighbor suppression or unloading the bridge module until the fix is applied.", "After changes, validate bridge operation and monitor system logs for kernel oops messages."], "summary": {"action": "Apply Patch", "impact": "Kernel crash due to NULL pointer dereference"}, "threat_synthesis": {"affected_systems": "All Linux kernels that enable the bridge module and are booted with the 'ipv6.disable=1' option are affected. No specific vendor version numbers are listed in the advisory, so the vulnerability applies to any kernel build that contains the unpatched bridge code and processes bridge traffic while IPv6 is disabled.", "description_and_impact": "The Linux kernel bridge module contains a flaw that occurs when IPv6 is disabled at boot. Without IPv6, the nd_tbl data structure is never initialized. When neighbor suppression is active and a Neighbor Discovery packet reaches the bridge, the function br_do_suppress_nd dereferences the null nd_tbl pointer, causing a kernel NULL pointer crash. The result is a kernel oops that brings the machine down, leading to a denial of service.", "risk_and_exploitability": "The CVE does not provide an explicit CVSS score or EPSS value, and it is not listed in the CISA KEV catalog. The worst\u2011case impact is a local or remote kernel crash that stops all services on the host. The likely attack path involves sending an ICMPv6 Neighbor Discovery packet to a bridge interface from outside the host when neighbor suppression is enabled; this scenario is inferred from the description and not stated outright. Because the flaw only results in a crash and does not grant code execution, the exploitability is lower than for remote code execution, but it still offers a clear denial\u2011of\u2011service vector."}}}}, "created": "2026-03-25T21:31:34.883129+00:00", "updated": "2026-03-25T21:31:34.883210+00:00", "vendors": [], "weaknesses": ["CWE-476"]}